You are here: Foswiki>Tasks Web>Item13237 (05 Jul 2015, GeorgeClark)Edit Attach

Item13237: calls Users::loadSession with tainted ENV{PATH}

Priority: Normal
Current State: Closed
Released In: 2.0.0
Target Release: major
Applies To: Engine
Branches: master
Reported By: DavidM
Waiting For:
Last Change By: GeorgeClark
I was able to fix the issue with the following change to ensure ENV has been untainted in case loadSession uses it.

diff -u
---   2015-01-28 10:28:34.971938969 -0800
+++   2015-01-28 10:28:15.722364621 -0800
@@ -1784,8 +1784,6 @@
     ASSERT( $this->{urlHost} ) if DEBUG;

-    # Load (or create) the CGI session
-    $this->{remoteUser} = $this->{users}->loadSession($defaultUser);

     # Make %ENV safer, preventing hijack of the search path. The
     # environment is set per-query, so this can't be done in a BEGIN.
@@ -1801,6 +1799,8 @@
         $ENV{PATH} = Foswiki::Sandbox::untaintUnchecked( $ENV{PATH} );
     delete @ENV{qw( IFS CDPATH ENV BASH_ENV )};
+    # Load (or create) the CGI session
+    $this->{remoteUser} = $this->{users}->loadSession($defaultUser);

     if (   $Foswiki::cfg{GetScriptUrlFromCgi}
         && $url
-- DavidM - 28 Jan 2015

Thanks for debugging this and the proposed fix. Finding subtle tainting issues can be a challenge. Applied to 1.2, but much earlier in the initialization.

-- GeorgeClark - 28 Jan 2015

ItemTemplate edit

Summary calls Users::loadSession with tainted ENV{PATH}
ReportedBy DavidM
Codebase 1.1.8
SVN Range
AppliesTo Engine
Priority Normal
CurrentState Closed
Checkins distro:e4168dc8634a
TargetRelease major
ReleasedIn 2.0.0
CheckinsOnBranches master
masterCheckins distro:e4168dc8634a
Topic revision: r3 - 05 Jul 2015, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy