Re: [Templates] Template Toolkit 2 Relative Path Security Problem
[prev] [thread] [next] [Date index for 2005/01/18]
From: Josh Rosenbaum
Subject: Re: [Templates] Template Toolkit 2 Relative Path Security Problem
Date: 09:03 on 18 Jan 2005
Subject: Re: [Templates] Template Toolkit 2 Relative Path Security Problem
Date: 09:03 on 18 Jan 2005
I was wondering if anyone had any comments on this? Does it seem like
an ok patch?
If we're worried about messing up someone else's stuff, we could always
add an addition here rather than changing it. So right after this:
----------------------------------------------------------
elsif ($name =~ m[^\.+/]) {
# anything starting "./" is relative to cwd, allowed if
RELATIVE set
($data, $error) = $self->{ RELATIVE }
? $self->_fetch($name)
: $self->{ TOLERANT }
? (undef, Template::Constants::STATUS_DECLINED)
: ("$name: relative paths are not allowed (set RELATIVE
option)",
Template::Constants::STATUS_ERROR);
}
----------------------------------------------------------
we could do something like:
----------------------------------------------------------
elsif($self->{ DISABLE_RELATIVE_NEW } && $name =~ m[(?:^|/)\.+/]){
# same stuff in here as the regular elsif specified above.
}
----------------------------------------------------------
In this manner the normal behavior won't be changed unless someone
specifies to use the new relative disabling.
Honestly, I'd prefer not to go that route, and just fix things with the
regular expression mentioned in my first post.
Thoughts?
-- Josh
Josh Rosenbaum wrote:
> This is related to the following:
> Template Toolkit 2.14
> Provider.pm - 2.81
> I believe the RELATIVE path option has a small problem. While doing
> some testing, I noticed that I was able to do this:
>
> [% INCLUDE foo/../../../../etc/passwd %]
> (with RELATIVE/ABSOLUTE both set to 0, and foo is in the INCLUDE path of
> '/a/path/here/'. (in other words: '/a/path/here/foo/' exists.)
>
> I believe this is related to line 136 of Template/Provider.pm:
> " elsif ($name =~ m[^\.+/]) {"
>
> It looks like a relative path is only considered to be one that starts
> with a '.+/'. Perhaps a little more checking would be in order? For
> example maybe:
> $name =~ m[(?:^|/)\.+/]
> (ie. if the dot(s) is proceeded by the beginning of the string or a slash.)
>
> There may be other areas of Template Toolkit that use the m[^\.+/]
> regular expression as well that may need to be fixed up.
>
> Here are the other areas in the default package that I found:
> Template/Provider.pm:load():line 192:"elsif ($name =~ m[^\.+/]) {"
>
>
> -- Josh
>
> _______________________________________________
> templates mailing list
> templates@xxxxxxxxxxxxxxxx.xxx
> http://lists.template-toolkit.org/mailman/listinfo/templates
>
> !DSPAM:41e42299185621558310542!
>
_______________________________________________
templates mailing list
templates@xxxxxxxxxxxxxxxx.xxx
http://lists.template-toolkit.org/mailman/listinfo/templates
 |
Re: [Templates] Template Toolkit 2 Relative Path Security Problem
|