You are here: Foswiki>Tasks Web>Item13048 (05 Jul 2015, GeorgeClark)Edit Attach

Item13048: Security issues with Windows and attachment name extensions

pencil
Priority: Security
Current State: Closed
Released In: 2.0.0
Target Release: major
Applies To: Engine
Component: FoswikiUIUpload
Branches: master
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark
-- GeorgeClark - 07 Oct 2014

The current UploadFilter regex, written out for readability:
 (?^:
     ^
       (\\.htaccess |
       .*\\.(?i)
          (?:
            php[0-9s]?(\\..*)? |
            [sp]htm[l]?(\\..*)? |
            pl |
            py |
            cgi
          )        #  Add a ? Here  to make the extension optional on Windows systems
       )
     $)

-- GeorgeClark - 07 Oct 2014

Unit test for the proposed fix:

sub test_illegal_upload_Item13048 {
    my $this = shift;
    local $/ = undef;
    my $data = 'asdfasdf';
    my ( $goodfilename, $badfilename ) =
      Foswiki::Sandbox::sanitizeAttachmentName("\0.htaccess.");

    # Verify that the sanitize process:
    #  - Removes the leading binary zero
    #  - Converts the trailing (dot) to ..txt.  Windows silently strips trailing dot from filenames
    $this->assert_str_equals( '.htaccess..txt', $goodfilename );

    try {
        $this->do_upload(
            $badfilename,
            $data,
            undef,
            hidefile         => 0,
            filecomment      => 'Elucidate the goose',
            createlink       => 0,
            changeproperties => 0
        );
        $this->assert(0);
    }
    catch Foswiki::OopsException with {
        my $e = shift;
        $this->assert_str_equals( $goodfilename,         $e->{params}[1] );
        $this->assert_str_equals( "upload_name_changed", $e->{def} );
    };

    return;
}

-- GeorgeClark - 07 Oct 2014

This test FAILS if the UploadFilter regex is codes as a qr/ / style regex. It gets pre-compiled as case sensitive matching.

    # Test that filter is not case sensitive.
    ( $goodfilename, $badfilename ) =
      Foswiki::Sandbox::sanitizeAttachmentName(".HTAccess");

    $this->assert_str_equals( '.HTAccess.txt', $goodfilename );

    try {
        $this->do_upload(
            $badfilename,
            $data,
            undef,
            hidefile         => 0,
            filecomment      => 'Elucidate the goose',
            createlink       => 0,
            changeproperties => 0
        );
        $this->assert(0);
    }
    catch Foswiki::OopsException with {
        my $e = shift;
        $this->assert_str_equals( $goodfilename,         $e->{params}[1] );
        $this->assert_str_equals( "upload_name_changed", $e->{def} );
    };

-- GeorgeClark - 08 Oct 2014
 

ItemTemplate edit

Summary Security issues with Windows and attachment name extensions
ReportedBy GeorgeClark
Codebase 1.1.9, trunk
SVN Range
AppliesTo Engine
Component FoswikiUIUpload
Priority Security
CurrentState Closed
WaitingFor
Checkins distro:7519c1200ae3
TargetRelease major
ReleasedIn 2.0.0
CheckinsOnBranches master
trunkCheckins
masterCheckins distro:7519c1200ae3
ItemBranchCheckins
Release01x01Checkins
Topic revision: r5 - 05 Jul 2015, GeorgeClark - This page was cached on 25 Jun 2016 - 14:31.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License