]> git.koha-community.org Git - koha.git/commit
Bug 14408: Path Traversal error
authorChris <chris@bigballofwax.co.nz>
Mon, 22 Jun 2015 05:23:52 +0000 (05:23 +0000)
committerFridolin Somers <fridolin.somers@biblibre.com>
Tue, 23 Jun 2015 10:02:07 +0000 (12:02 +0200)
commit2870086da0070dad38bdb4a22be9e07dd1c8c713
tree65f77c4230f70aedb7cdf37cadd996d6776ff0ea
parentb9ebf70d9583d761d8db9eaf503ebe9498bc01e0
Bug 14408: Path Traversal error

Counter counter patch
Please test well, including with the null byte %00, this uses a whitelisting to only allow files ending with .tt
and not allowing ../etc

Note the previous patch tries to protect against /etc/passwd
but //etc/passwd is now vulnerable.  I do think a whitelist is safer than trying to do a blacklist

/cgi-bin/koha/svc/virtualshelves/search
/cgi-bin/koha/svc/members/search

Are vulnerable

To test:
1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
  Notice you get a valid JSON response
2/ Hit
/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
  (You may have add more ..%2f or remove them to get the correct path)
  Notice you can see the contents of the /etc/passwd file
3/ Hit
/cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4/ Apply patch
5/ Hit the first url again, notice it still works
6/ Hit the second url notice it now errors with a file not found
7/ Hit the third url notice it now errors with a file not found

Repeat for the other script also

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 5a7f459290326e1cea8460bb0817492340dd4150)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit 364de7531c7b0ac604d396e3af1c84f674e7221e)

Conflicts:
C4/Auth.pm
C4/Auth.pm