Closed Bug 1074980 Opened 11 years ago Closed 11 years ago

Forbid the { foo => $cgi->param() } syntax to prevent data override

Categories

(Bugzilla :: Testing Suite, enhancement)

Product:
Bugzilla
Component:
Testing Suite
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 4.0

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

(Keywords: reporter-external, sec-audit, Whiteboard: [reporter-internal])

Attachments

(2 files, 2 obsolete files)

patch for trunk, v2.1
1.49 KB, patch
dkl
: review+
Details | Diff | Splinter Review
patch for 4.x, v1
1.31 KB, patch
dkl
: review+
Details | Diff | Splinter Review
Bug 1074812 is not the first one to report issues when writing { foo => $cgi->param("bar") } but it's certainly the most critical bug in this category. If you pass the 'bar' argument several times in a URL, such as &bar=4&bar=new_field&bar=new_value, then the hash above becomes: { foo => 4, new_field => new_value } which lets you inject new field/value pairs or to override already set field/value pairs. This can lead to security vulnerabilities in case the hash is passed to e.g. a constructor/destructor such as Bugzilla::Foo->create() or ->update() or ->delete() as data has been compromised by the caller. If these methods trust the caller for some of its data, then you are in trouble. I will attach a test to prevent this syntax. The right way to go is to force the CGI argument to be read in scalar context, i.e.: { foo => scalar $cgi->param("bar") } I'm leaving the security flag for now as 8 files in the Bugzilla codebase are currently using this syntax and need careful audit before being disclosed.
Flags: sec-bounty-
Whiteboard: [reporter-internal]
I suggest we resolve these as part of the same security release (or at least determine that they're not exploitable first) as I can pretty much guarantee you that people will go looking for this and want to claim bounties once the one in bug 1074812 is disclosed (that was my first instinct upon seeing it as well).
Flags: blocking4.4.6+
Flags: blocking4.2.11+
Flags: blocking4.0.15+
Whiteboard: [reporter-internal]
Whiteboard: [reporter-internal]
Attached patch patch, v1 (obsolete) — Splinter Review
Many files caught by this test!
Attachment #8497643 - Flags: review?(dkl)
Target Milestone: Bugzilla 4.4 → Bugzilla 4.0
Summary: Forbird the { foo => $cgi->param() } syntax to prevent data override → Forbid the { foo => $cgi->param() } syntax to prevent data override
Comment on attachment 8497643 [details] [diff] [review] patch, v1 Review of attachment 8497643 [details] [diff] [review]: ----------------------------------------------------------------- error at the end: # Looks like you planned 1374 tests but ran 1381.
Attachment #8497643 - Flags: review?(dkl) → review-
(In reply to David Lawrence [:dkl] from comment #3) > Comment on attachment 8497643 [details] [diff] [review] > patch, v1 > > Review of attachment 8497643 [details] [diff] [review]: > ----------------------------------------------------------------- > > error at the end: > > # Looks like you planned 1374 tests but ran 1381. Looking at the patch, we will not know how many tests will be executed depending on how many lines in a file match the regexp check for cgi->param. You may need to use instead: use Test::More qw(no_plan);
Attached patch patch, v2 (obsolete) — Splinter Review
Attachment #8497643 - Attachment is obsolete: true
Attachment #8497758 - Flags: review?(dkl)
Comment on attachment 8497758 [details] [diff] [review] patch, v2 Review of attachment 8497758 [details] [diff] [review]: ----------------------------------------------------------------- I would like to see "all" offending lines in a file in the same test run so please implement similar to this: + my $lineno = 0; + my $error_string = ''; + while (my $file_line = <FILE>) { + $lineno++; + $file_line =~ s/^\s*(.+)\s*$/$1/; # Remove leading and trailing whitespaces. + if ($file_line =~ /^[^#]+=> \$cgi\->param/) { + $error_string .= "$file incorrectly passes a CGI argument to a hash " . + "($file_line) on line $lineno --ERROR\n"; + } + } + + if ($error_string) { + ok(0, $error_string); + } + else { + ok(1, "$file has no vulnerable hash syntax"); + } Fix on commit. r=dkl
Attachment #8497758 - Flags: review?(dkl) → review+
Is the patch going to fix the 15 occurrences of this pattern, so that the test actually passes? Gerv
yes, I'm on it
Now display all errors.
Attachment #8497758 - Attachment is obsolete: true
Attachment #8498144 - Flags: review+
Flags: approval?
Flags: approval4.4?
Flags: approval4.2?
Flags: approval4.0?
Depends on: CVE-2014-1573
Attachment #8498144 - Attachment description: patch, v2.1 → patch for trunk, v2.1
This patch applies to all 4.x branches.
Attachment #8498516 - Flags: review?(dkl)
Comment on attachment 8498516 [details] [diff] [review] patch for 4.x, v1 Review of attachment 8498516 [details] [diff] [review]: ----------------------------------------------------------------- r=dkl for all supported versions
Attachment #8498516 - Flags: review?(dkl) → review+
Flags: approval?
Flags: approval4.4?
Flags: approval4.4+
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval+
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 406dea6..c8f8d1e 4.0 -> 4.0 To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git ce590bf..6d6b390 4.2 -> 4.2 To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 7b8e0ab..6364067 4.4 -> 4.4 To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 9e186bd..f33b119 master -> master
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: