From 2870086da0070dad38bdb4a22be9e07dd1c8c713 Mon Sep 17 00:00:00 2001 From: Chris Date: Mon, 22 Jun 2015 05:23:52 +0000 Subject: [PATCH] Bug 14408: Path Traversal error Counter counter patch Please test well, including with the null byte %00, this uses a whitelisting to only allow files ending with .tt and not allowing ../etc Note the previous patch tries to protect against /etc/passwd but //etc/passwd is now vulnerable. I do think a whitelist is safer than trying to do a blacklist /cgi-bin/koha/svc/virtualshelves/search /cgi-bin/koha/svc/members/search Are vulnerable To test: 1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt Notice you get a valid JSON response 2/ Hit /search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd (You may have add more ..%2f or remove them to get the correct path) Notice you can see the contents of the /etc/passwd file 3/ Hit /cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd 4/ Apply patch 5/ Hit the first url again, notice it still works 6/ Hit the second url notice it now errors with a file not found 7/ Hit the third url notice it now errors with a file not found Repeat for the other script also Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi (cherry picked from commit 5a7f459290326e1cea8460bb0817492340dd4150) Signed-off-by: Chris Cormack (cherry picked from commit 364de7531c7b0ac604d396e3af1c84f674e7221e) Conflicts: C4/Auth.pm --- C4/Auth.pm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/C4/Auth.pm b/C4/Auth.pm index 164092d01e..23311f0083 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -139,6 +139,9 @@ sub get_template_and_user { my $in = shift; my ( $user, $cookie, $sessionID, $flags ); + my $safe_chars = 'a-zA-Z_\-\/'; + die "bad template path" unless $in->{'template_name'} =~ m/^[$safe_chars]+.tt?$/ig; #sanitize input + $in->{'authnotrequired'} ||= 0; my $template = C4::Templates::gettemplate( $in->{'template_name'}, -- 2.39.5