#2942 closed defect (fixed)
CGI "id" parameter not sufficiently validated, could allow for the creation of files on the file system
| Reported by: | sdlime | Owned by: | sdlime |
|---|---|---|---|
| Priority: | high | Milestone: | 6.0 release |
| Component: | MapServer C Library | Version: | unspecified |
| Severity: | normal | Keywords: | |
| Cc: | jmckenna, dmorissette |
Description
The CGI parameter (used for pseudo session handling) is not sufficiently validated and could be used to create files outside of intended locations. The parameter is checked for length but not for content so inserting relative paths alters where MapServer will try to create temporary files.
The fix is to apply a regex pattern to limit an id's value.
Steve
Change History (10)
comment:1 by , 14 years ago
| Priority: | normal → high |
|---|---|
| Status: | new → assigned |
comment:2 by , 14 years ago
comment:4 by , 14 years ago
| Cc: | added |
|---|
comment:5 by , 14 years ago
| Cc: | added |
|---|
comment:6 by , 14 years ago
| Milestone: | 5.2.2 release → 5.4 release |
|---|
comment:7 by , 14 years ago
| Milestone: | 5.4 release → 6.0 release |
|---|
Fixed in 5.4 branch in r8855, moving to 6.0/trunk.
Steve
comment:8 by , 14 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed in trunk a while ago. Closing since there are no documentation issues.
Steve
Note:
See TracTickets
for help on using tickets.
Note that the current code also has an off-by-one error that doesn't take the null terminating character into consideration so a setting an id of 128 characters will trigger a buffer overflow. The regex check accounts for this by restricting the value to 1 less than IDSIZE as set in maptemplate.h.
Steve