Re: [mod-security-users] Problems with @inspectFile not escaping arguments
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Problems with @inspectFile not escaping arguments
|
From: Felipe C. <FC...@tr...> - 2015-12-08 14:00:22
|
Hi,
On 12/8/15, 10:21 AM, "Reindl Harald" <h.r...@th...> wrote:
>
>Am 08.12.2015 um 14:04 schrieb Felipe Costa:
>> Hi Gryzli,
>>
>> Thank you for the report.
>>
>> Do not use the @inspectFile with variables that you don’t have control. @inspectFile
>> was originally created to be used with the FILES_TMPNAMES [1] as cited on the
>> example: [2]. The content of FILES_TMPNAMES is generated by ModSecurity, therefore we
>> don’t need to escape.
>
>SecRule FILES_TMPNAMES "@inspectFile
>/etc/httpd/modsecurity.d/check-upload.php"
>"id:'141',phase:2,block,status:400,t:none"
>
>that script get called for each uploaded file with the full, sanitized
>path as param by modsec
Exactly, like I said, it is safe to use @inspectFile with the variable FILES_TMPNAMES.
It _may_ not be safe to use with others variables.
[…]
>
>> For ModSecurity version 3, the @inspectFile may not be necessary anymore. We wish to
>> support natively:
>
>how is that supposed to work "natively"?
I am sorry, my fault, the term natively may not be the correct one. By natively I
meant the same integration we currently have with Lua. Where user will be able to
access collections and variables via script, etc...
>
>i mean the idea of calling a external script is to keep that as small
>and focused as possible while at the same time
>
>what i would like to see native supported is a config file with allowed
>mimetypes and check upload-files against it - that's what our script
>baiscally does by the wollwoing code
>
>the reason for calling the file-command is that on Fedora that package
>is typically recent while the native php-functions are proven to often
>detect the wrong mimetypes even for gif-images and the bundeled
>php-stuff don't see much updates to fix the error in a timely manner if ever
>
> ob_start();
> passthru('/usr/bin/file -b --mime-type ' .
>escapeshellarg($_SERVER['argv'][1]));
> $mime_type = trim(ob_get_clean());
> switch(in_array($mime_type, $allowed_mimetypes))
> {
> case true: exit("1: upload mime-type '" . $mime_type . "'
>allowed\n"); break;
> case false: exit("0: upload mime-type '" . $mime_type . "' not
>allowed\n"); break;
> }
I always look to that script integration to something easy to be be deployed and
tested, but later to be transformed into an operator and/or variables for
performance boost. It does not means that you cannot use in production, just saying
that it opens the possibility for a fast prototyping.
I understand your need with the `file' example, but, do you think you can achieve
the same level of “functionality” by using a python script?
In python it will be something like (not tested):
import magic
mime = magic.Magic(mime=True)
allowed = ["text/plain", "text/something"]
for i in modsec.transaction.file_tmpnames:
mime_type = mime.from_file(i)
if not mime_type in allowed:
return [0, "upload mime-type ‘…’ not allowed"]
What do you think?
Br.,
Felipe “Zimmerle” Costa
Security Researcher, SpiderLabs
Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
|
