Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#230 using ../ possible with local__uriGetter

Need_for_security
closed-fixed
9
2005-07-24
2005-07-17
Steve Jenson
No

FIXED
We found one bug in the Powerbox: the capability
granted to the CapBrowser to read arbitrary files under
its subdirectory was mis-implemented. In particular,
the Powerbox implemented this restriction by building a
method that took a relative filename, appended it to
the CapBrowser’s directory, loaded this file (using the
Powerbox’s extra powers), and returning the result to
the CapBrowser. However, if the CapBrowser requested a
filename of the form “../foo”, then the Powerbox would
happily let the CapBrowser read a file outside of its
directory, in violation of the Powerbox programmer’s
intentions.

Followups

Comment Date By
I now make a file out of the relative filename first,
using the file__uriGetter that works oh so carefully to
ensure that tricky character combos can't nail you. So
the process is now as safe as the base mechanism of E.
2002-Mar-30 00:03 marcs

Discussion

  • Steve Jenson
    Steve Jenson
    2005-07-18

    • status: open --> open-fixed
     
  • Steve Jenson
    Steve Jenson
    2005-07-18

    • status: open-fixed --> closed-fixed
     
    • assigned_to: nobody --> caplet