Project

General

Profile

Actions

action #1988

closed

review file controllers

Added by lnussel over 10 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
-
Target version:
Start date:
2014-03-26
Due date:
% Done:

100%

Estimated time:
3.00 h

Description

we need to double check the file controllers to not allow arbitrary file access (ie something like ../../../etc/passwd) before or around we go live.


Related issues 1 (0 open1 closed)

Related to openQA Project - action #1801: Reimplement the File controller taking advantage of Mojolicious::Static Resolvedcoolo2014-03-05

Actions
Actions #1

Updated by lnussel over 10 years ago

  • Estimated time set to 3.00 h
Actions #2

Updated by ancorgs over 10 years ago

As suggested in #1801, we should take a look into Mojolicious::Static http://mojolicio.us/perldoc/Mojolicious/Static

Actions #3

Updated by lnussel over 10 years ago

  • Target version set to Sprint 06
Actions #4

Updated by coolo over 10 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 100

I implemented 1801 and while I did, I reviewed the code. It's impossible to match / for parameters and we don't do any manual descape. So unless I oversee something highly unobvious, it's impossible to get out of the test directory. The only exception was the iso download, that I fixed not to take custom file names. We only allow downloads of ISO files of valid tests. Christoper allowed all files in iso directory - which is not what we want IMO.

Actions #5

Updated by coolo over 10 years ago

  • Status changed from In Progress to Resolved
  • Assignee set to coolo
Actions

Also available in: Atom PDF