You are here: Foswiki>Tasks Web>Item13237 (05 Jul 2015, GeorgeClark)Edit Attach

Item13237: Foswiki.pm calls Users::loadSession with tainted ENV{PATH}

pencil
Priority: Normal
Current State: Closed
Released In: 2.0.0
Target Release: major
Applies To: Engine
Component:
Branches: master
Reported By: DavidM
Waiting For:
Last Change By: GeorgeClark
I was able to fix the issue with the following change to ensure ENV has been untainted in case loadSession uses it.

diff -u Foswiki.pm.orig Foswiki.pm
--- Foswiki.pm.orig   2015-01-28 10:28:34.971938969 -0800
+++ Foswiki.pm   2015-01-28 10:28:15.722364621 -0800
@@ -1784,8 +1784,6 @@
     }
     ASSERT( $this->{urlHost} ) if DEBUG;

-    # Load (or create) the CGI session
-    $this->{remoteUser} = $this->{users}->loadSession($defaultUser);

     # Make %ENV safer, preventing hijack of the search path. The
     # environment is set per-query, so this can't be done in a BEGIN.
@@ -1801,6 +1799,8 @@
         $ENV{PATH} = Foswiki::Sandbox::untaintUnchecked( $ENV{PATH} );
     }
     delete @ENV{qw( IFS CDPATH ENV BASH_ENV )};
+    # Load (or create) the CGI session
+    $this->{remoteUser} = $this->{users}->loadSession($defaultUser);

     if (   $Foswiki::cfg{GetScriptUrlFromCgi}
         && $url
-- DavidM - 28 Jan 2015

Thanks for debugging this and the proposed fix. Finding subtle tainting issues can be a challenge. Applied to 1.2, but much earlier in the initialization.

-- GeorgeClark - 28 Jan 2015
 

ItemTemplate edit

Summary Foswiki.pm calls Users::loadSession with tainted ENV{PATH}
ReportedBy DavidM
Codebase 1.1.8
SVN Range
AppliesTo Engine
Component
Priority Normal
CurrentState Closed
WaitingFor
Checkins distro:e4168dc8634a
TargetRelease major
ReleasedIn 2.0.0
CheckinsOnBranches master
trunkCheckins
masterCheckins distro:e4168dc8634a
ItemBranchCheckins
Release01x01Checkins
Topic revision: r3 - 05 Jul 2015, GeorgeClark - This page was cached on 27 May 2016 - 12:30.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License