Closed
Bug 343552
Opened 19 years ago
Closed 18 years ago
Bonsai shouldn't try to look ouside of cvsroot via ../
Categories
(Webtools Graveyard :: Bonsai, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: ajschult784, Assigned: ajschult784)
Details
Attachments
(1 file, 2 obsolete files)
1.43 KB,
patch
|
timeless
:
review+
|
Details | Diff | Splinter Review |
I saw this in my logwatch mail this morning
!!!! 1 possible successful probes
/bonsai/cvsblame.cgi?file=../../../../../../../../../../../etc/passwd HTTP Response 200
Further testing indicates
1. bonsai gave them an error page ("Invalid filename")
2. It was the wrong path to passwd
3. bonsai wouldn't have delivered the file it if was the right path because it didn't have ",v" on the end.
4. bonsai happily attempts to parse and deliver files (with ,v at the end) outside of /cvsroot.
Assignee | ||
Comment 1•19 years ago
|
||
further investigation reveals that ChrootFilename in globals.pl prevents anything bad from happening... I guess I'd expect that sort of check to happen before it looks for the RCS file.
Assignee | ||
Comment 2•19 years ago
|
||
This is still not ideal.
file=../some/path/../../cvsroot/somefile
could be used to probe whether /some/path existed or not.
Assignee | ||
Comment 3•19 years ago
|
||
This assumes nothing would hand valid URIs with ../ in them. If this might happen, canonPath could be taught to die if it tried traverse above cvsroot.
Comment on attachment 228064 [details] [diff] [review]
more robust check
i think tinderbox and friends would use ../'s, certainly i would. let's do this some other way :(
Attachment #228064 -
Flags: review?(timeless) → review-
Assignee | ||
Comment 5•18 years ago
|
||
Attachment #228062 -
Attachment is obsolete: true
Attachment #228064 -
Attachment is obsolete: true
Attachment #246702 -
Flags: review?(timeless)
Comment on attachment 246702 [details] [diff] [review]
don't let canonpath walk above cvsroot
note that i believe bonsai now requires 5.6 (open calls?). also i'm not a fan of else after return. but this is ok otherwise :).
Attachment #246702 -
Flags: review?(timeless) → review+
Assignee | ||
Comment 7•18 years ago
|
||
landed. note that the patch doesn't actually have else after return. It just looks like it because perl is strange.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•