From c13fc5414543a80723550020f988b012ac310892 Mon Sep 17 00:00:00 2001 From: Rich Megginson Date: May 11 2006 14:23:21 +0000 Subject: Bug: 186280 Description: Close potential security vulnerabilities in CGI code Reviewed by: Nathan and Noriko (Thanks!) Fix Description: These address a variety of issues with our CGIs. The basic strategy is - Don't Trust The User - any data passed in as a GET/POST parameter is suspect. I mostly looked at parameters which are filenames or filename components, but I also made sure that we don't try to dereference a null parameter or similar things such as that. For filenames, I mostly just verified that path components contain path valid characters (e.g. not things like ../ or "" or potential attack strings), verify that the given filename exists in the given directory using opendir/readdir instead of just relying on PR_Access (which would report success on a path like /opt/fedora-ds/alias/../../../etc/passwd), and some attacks which could be based on using something like this: PR_snprintf(buf, sizeof(buf), "%s/alias", pathfromuser); If pathfromuser overflows buf, the /alias will not be appended and we could be using some bogus path. I replaced most of these with PR_smprintf. Platforms tested: RHEL4 Flag Day: no Doc impact: no QA impact: should be covered by regular nightly and manual testing New Tests integrated into TET: none --- diff --git a/lib/libadminutil/form_post.c b/lib/libadminutil/form_post.c index 06ba1a7..b8d297d 100644 --- a/lib/libadminutil/form_post.c +++ b/lib/libadminutil/form_post.c @@ -192,7 +192,7 @@ string_to_vec(char *in) x=0; tmp = strtok(in, "&"); - if (!tmp) { /* error, bail out */ + if (!tmp || !strchr(tmp, '=')) { /* error, bail out */ PR_Free(in); return(ans); } @@ -218,6 +218,10 @@ string_to_vec(char *in) form_unescape(ans[x++]); while((tmp = strtok(NULL, "&"))) { + if (!strchr(tmp, '=')) { + PR_Free(in); + return ans; + } if (!(ans[x] = PL_strdup(tmp))) { if (admutil_i18nResource) { rpt_err(MEMORY_ERROR,