[Fedora-directory-commits] adminutil/lib/libadminutil form_post.c, 1.2, 1.3
Richard Allen Megginson (rmeggins)
fedora-directory-commits at redhat.com
Thu May 11 14:23:23 UTC 2006
- Previous message (by thread): [Fedora-directory-commits] °Ó·~¶g¥Z: ''¥xÆWºô¸ôÁʪ«¡A¤»¦~¦¨ªø21.5¿''
- Next message (by thread): [Fedora-directory-commits] adminserver/admserv/cgi-src40 Makefile, 1.9, 1.10 ReadLog.c, 1.4, 1.5 dsconfig.c, 1.5, 1.6 help.c, 1.6, 1.7 htmladmin.c, 1.6, 1.7 listOldSrvs.c, 1.5, 1.6 security.c, 1.7, 1.8 snmpconf.c, 1.5, 1.6 snmpmctl.c, 1.5, 1.6 statpingserv.c, 1.4, 1.5 viewdata.c, 1.5, 1.6 userinfo.c, 1.4, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: rmeggins
Update of /cvs/dirsec/adminutil/lib/libadminutil
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17600/adminutil/lib/libadminutil
Modified Files:
form_post.c
Log Message:
Bug: 186280
Description: Close potential security vulnerabilities in CGI code
Reviewed by: Nathan and Noriko (Thanks!)
Fix Description: These address a variety of issues with our CGIs. The basic
strategy is - Don't Trust The User - any data passed in as a GET/POST parameter
is suspect. I mostly looked at parameters which are filenames or filename
components, but I also made sure that we don't try to dereference a null
parameter or similar things such as that. For filenames, I mostly just verified
that path components contain path valid characters (e.g. not things like ../ or
"" or potential attack strings), verify that the given filename exists in the
given directory using opendir/readdir instead of just relying on PR_Access
(which would report success on a path like
/opt/fedora-ds/alias/../../../etc/passwd), and some attacks which could be based
on using something like this:
PR_snprintf(buf, sizeof(buf), "%s/alias", pathfromuser);
If pathfromuser overflows buf, the /alias will not be appended and we could be
using some bogus path. I replaced most of these with PR_smprintf.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
Index: form_post.c
===================================================================
RCS file: /cvs/dirsec/adminutil/lib/libadminutil/form_post.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- form_post.c 22 Mar 2006 23:47:14 -0000 1.2
+++ form_post.c 11 May 2006 14:23:21 -0000 1.3
@@ -192,7 +192,7 @@
x=0;
tmp = strtok(in, "&");
- if (!tmp) { /* error, bail out */
+ if (!tmp || !strchr(tmp, '=')) { /* error, bail out */
PR_Free(in);
return(ans);
}
@@ -218,6 +218,10 @@
form_unescape(ans[x++]);
while((tmp = strtok(NULL, "&"))) {
+ if (!strchr(tmp, '=')) {
+ PR_Free(in);
+ return ans;
+ }
if (!(ans[x] = PL_strdup(tmp))) {
if (admutil_i18nResource) {
rpt_err(MEMORY_ERROR,
- Previous message (by thread): [Fedora-directory-commits] °Ó·~¶g¥Z: ''¥xÆWºô¸ôÁʪ«¡A¤»¦~¦¨ªø21.5¿''
- Next message (by thread): [Fedora-directory-commits] adminserver/admserv/cgi-src40 Makefile, 1.9, 1.10 ReadLog.c, 1.4, 1.5 dsconfig.c, 1.5, 1.6 help.c, 1.6, 1.7 htmladmin.c, 1.6, 1.7 listOldSrvs.c, 1.5, 1.6 security.c, 1.7, 1.8 snmpconf.c, 1.5, 1.6 snmpmctl.c, 1.5, 1.6 statpingserv.c, 1.4, 1.5 viewdata.c, 1.5, 1.6 userinfo.c, 1.4, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-directory-commits
mailing list