cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
You are here: Foswiki>Tasks Web>Item13237 (05 Jul 2015, GeorgeClark)Edit Attach

Item13237: Foswiki.pm calls Users::loadSession with tainted ENV{PATH}

pencil
Priority: Normal
Current State: Closed
Released In: 2.0.0
Target Release: major
Applies To: Engine
Component:
Branches: master
Reported By: DavidM
Waiting For:
Last Change By: GeorgeClark
I was able to fix the issue with the following change to ensure ENV has been untainted in case loadSession uses it.

diff -u Foswiki.pm.orig Foswiki.pm
--- Foswiki.pm.orig   2015-01-28 10:28:34.971938969 -0800
+++ Foswiki.pm   2015-01-28 10:28:15.722364621 -0800
@@ -1784,8 +1784,6 @@
     }
     ASSERT( $this->{urlHost} ) if DEBUG;

-    # Load (or create) the CGI session
-    $this->{remoteUser} = $this->{users}->loadSession($defaultUser);

     # Make %ENV safer, preventing hijack of the search path. The
     # environment is set per-query, so this can't be done in a BEGIN.
@@ -1801,6 +1799,8 @@
         $ENV{PATH} = Foswiki::Sandbox::untaintUnchecked( $ENV{PATH} );
     }
     delete @ENV{qw( IFS CDPATH ENV BASH_ENV )};
+    # Load (or create) the CGI session
+    $this->{remoteUser} = $this->{users}->loadSession($defaultUser);

     if (   $Foswiki::cfg{GetScriptUrlFromCgi}
         && $url
-- DavidM - 28 Jan 2015

Thanks for debugging this and the proposed fix. Finding subtle tainting issues can be a challenge. Applied to 1.2, but much earlier in the initialization.

-- GeorgeClark - 28 Jan 2015
 

ItemTemplate edit

Summary Foswiki.pm calls Users::loadSession with tainted ENV{PATH}
ReportedBy DavidM
Codebase 1.1.8
SVN Range
AppliesTo Engine
Component
Priority Normal
CurrentState Closed
WaitingFor
Checkins distro:e4168dc8634a
TargetRelease major
ReleasedIn 2.0.0
CheckinsOnBranches master
trunkCheckins
masterCheckins distro:e4168dc8634a
ItemBranchCheckins
Release01x01Checkins
Topic revision: r3 - 05 Jul 2015, GeorgeClark - This page was cached on 26 May 2018 - 13:34.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy