#3 Patch to v2.0.0

closed
All Patches (2)
8
2012-10-05
2005-08-24
No

This patch applies only to v2.0.0 and only the ASP
implementation of the backend.

I have changed the way the eval string is generated. In
the past, we read in each variable from the querystring
or POST data and generated a string from it. For
example, if this was our querystring:

cpaint_argument=add&cpaint_argument[]
=2&cpaint_argument[]=5

... the eval string would read:

add(2, 5)

Obviously, this can cause major problems when
malicious code is passed in, as we saw in v1.3 and
below. Previously, we fixed this bug by checking
incoming data against a blacklist, that searched for
certain strings.

However, with this change, we are no longer directly
reading the variables, but rather passing them onto the
function. So, now the eval string reads:

add(request.querystring("cpaint_argument[]")(1),
request.querystring("cpaint_argument[]")(2))

(Of course, this could change, based on the number of
incoming arguments and whether GET or POST was
used.) This method is much more secure, because any
malicious strings that are passed in are sent to your
function and not interpreted on the eval line. (However,
if you run eval in your function using the parameters, the
same hole could reappear, but that's on you - not us!)

Please note that we don't do any sanitation on the
incoming data. We don't do this in any of the PHP
backend implementations either, however - that may
change in the future (no promises as to when or if
though).

While we believe the v2.0.0 release code is safe, this
patch further solidifies the code and our comittment
to "safe hex". :-)

To apply this patch, simply download the attached file
and overwrite your existing cpaint2.inc.asp file.

Discussion

  • Paige Sullivan

    Paige Sullivan - 2005-08-24

    Eval patch for v2.0.0/ASP

     
  • Paige Sullivan

    Paige Sullivan - 2005-09-05

    Logged In: YES
    user_id=612671

    Changes integrated into v2.0.1

     

Log in to post a comment.