Foswiki General Assembly will be held on 28th November 2019, 1200 UTC on Freenode IRC channel #foswiki-association. See AgendaTenthGeneralAssembly
You are here: Foswiki>Tasks Web>Item13237 (05 Jul 2015, GeorgeClark)Edit Attach

Item13237: calls Users::loadSession with tainted ENV{PATH}

Priority: Normal
Current State: Closed
Released In: 2.0.0
Target Release: major
Applies To: Engine
Branches: master
Reported By: DavidM
Waiting For:
Last Change By: GeorgeClark
I was able to fix the issue with the following change to ensure ENV has been untainted in case loadSession uses it.

diff -u
---   2015-01-28 10:28:34.971938969 -0800
+++   2015-01-28 10:28:15.722364621 -0800
@@ -1784,8 +1784,6 @@
     ASSERT( $this->{urlHost} ) if DEBUG;

-    # Load (or create) the CGI session
-    $this->{remoteUser} = $this->{users}->loadSession($defaultUser);

     # Make %ENV safer, preventing hijack of the search path. The
     # environment is set per-query, so this can't be done in a BEGIN.
@@ -1801,6 +1799,8 @@
         $ENV{PATH} = Foswiki::Sandbox::untaintUnchecked( $ENV{PATH} );
     delete @ENV{qw( IFS CDPATH ENV BASH_ENV )};
+    # Load (or create) the CGI session
+    $this->{remoteUser} = $this->{users}->loadSession($defaultUser);

     if (   $Foswiki::cfg{GetScriptUrlFromCgi}
         && $url
-- DavidM - 28 Jan 2015

Thanks for debugging this and the proposed fix. Finding subtle tainting issues can be a challenge. Applied to 1.2, but much earlier in the initialization.

-- GeorgeClark - 28 Jan 2015

ItemTemplate edit

Summary calls Users::loadSession with tainted ENV{PATH}
ReportedBy DavidM
Codebase 1.1.8
SVN Range
AppliesTo Engine
Priority Normal
CurrentState Closed
Checkins distro:e4168dc8634a
TargetRelease major
ReleasedIn 2.0.0
CheckinsOnBranches master
masterCheckins distro:e4168dc8634a
Topic revision: r3 - 05 Jul 2015, GeorgeClark - This page was cached on 18 Nov 2019 - 18:02.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy