Project

General

Profile

action #1988

review file controllers

Added by lnussel over 8 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
-
Target version:
Start date:
2014-03-26
Due date:
% Done:

100%

Estimated time:
3.00 h
Difficulty:

Description

we need to double check the file controllers to not allow arbitrary file access (ie something like ../../../etc/passwd) before or around we go live.


Related issues

Related to openQA Project - action #1801: Reimplement the File controller taking advantage of Mojolicious::Static Resolved2014-03-05

History

#1 Updated by lnussel over 8 years ago

  • Estimated time set to 3.00 h

#2 Updated by ancorgs over 8 years ago

As suggested in #1801, we should take a look into Mojolicious::Static http://mojolicio.us/perldoc/Mojolicious/Static

#3 Updated by lnussel over 8 years ago

  • Target version set to Sprint 06

#4 Updated by coolo over 8 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 100

I implemented 1801 and while I did, I reviewed the code. It's impossible to match / for parameters and we don't do any manual descape. So unless I oversee something highly unobvious, it's impossible to get out of the test directory. The only exception was the iso download, that I fixed not to take custom file names. We only allow downloads of ISO files of valid tests. Christoper allowed all files in iso directory - which is not what we want IMO.

#5 Updated by coolo over 8 years ago

  • Status changed from In Progress to Resolved
  • Assignee set to coolo

Also available in: Atom PDF