action #1988
closed
Added by lnussel about 10 years ago.
Updated about 10 years ago.
Description
we need to double check the file controllers to not allow arbitrary file access (ie something like ../../../etc/passwd) before or around we go live.
- Estimated time set to 3.00 h
- Target version set to Sprint 06
- Status changed from New to In Progress
- % Done changed from 0 to 100
I implemented 1801 and while I did, I reviewed the code. It's impossible to match / for parameters and we don't do any manual descape. So unless I oversee something highly unobvious, it's impossible to get out of the test directory. The only exception was the iso download, that I fixed not to take custom file names. We only allow downloads of ISO files of valid tests. Christoper allowed all files in iso directory - which is not what we want IMO.
- Status changed from In Progress to Resolved
- Assignee set to coolo
Also available in: Atom
PDF