#25 Restrict file reading option for Webapps

closed-accepted
nobody
None
5
2002-08-23
2002-08-17
Liam Quinn
No

OpenSP is often used in Web applications such as HTML
validators. These Web applications are currently
vulnerable to remote file reading when users submit a
file that contains an entity such as
<!ENTITY passwd SYSTEM "/etc/passwd">.

This patch adds a new command-line option, -R or
--restricted, that restricts file reading to
directories listed in the -D command-line option or in
the SGML_SEARCH_PATH. Also, when -R is used, filenames
containing ".." will not be read, and as a further
security precaution the characters used in the filename
are limited to A-Z, a-z, 0-9, '/', '.', '_', '-'.

The patch is against opensp_1_5_pre5 but should apply
cleanly to the latest opensp_1_5_branch.

Discussion

  • Liam Quinn

    Liam Quinn - 2002-08-17

    Patch to add a restricted file reading option

     
  • Terje Bless

    Terje Bless - 2002-08-19

    Logged In: YES
    user_id=8470

    Applies cleanly to opensp_1_5_branch and builds and runs
    fine on Debian and Red Hat. The patch appears to be pretty
    much zero-impact and is essential for CGI and similar
    applications.

     
  • Liam Quinn

    Liam Quinn - 2002-08-23
    • status: open --> closed-accepted
     
  • Liam Quinn

    Liam Quinn - 2002-08-23

    Logged In: YES
    user_id=312969

    I've applied the patch to opensp_1_5_branch and checked it in.

     

Log in to post a comment.