You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The original removed double slashes and ../ parent directory references from the URI, the new code simply strips all dots when followed by a slash, which I think is not what should happen here. Am I correct?
The reason will be displayed to describe this comment to others. Learn more.
Yeah, there's an issue posted on the forum, where someone needs to use a URI like /controller/method/param1./param2./param3, and the dots are stripped of the URI segments...
The reason will be displayed to describe this comment to others. Learn more.
In that case unless @frankdejonge can shed any light on this I'd say we go back to the old behaviour. Either that or the person having an issue has to re-think their design a little.
The reason will be displayed to describe this comment to others. Learn more.
Not really sure why we need to filter this anyway. Fuel URI's don't point to a position on disk, they are controller method mappings, so having a URI like /controller/../../../../../../etc/passwd would simply not do anything...
Even worse, standard rewriting first checks if the request points to an existing file or directory. So if a URI can be crafted to (in this example) access the password file, the request wouldn't even reach Fuel...
The reason will be displayed to describe this comment to others. Learn more.
I suppose it could be a possible issue if the uri parameter in the route has a greedy regex and the parameter is passed through to something that loads a file. But arguably that's also a bad developer issue.
All input data should be validated before using them, even if it comes from URI string.
But Fuel provides URI security, so users may forget the validations for URI data.
If you change the code, it may be BC break.
But arguably that's also a bad developer issue.
Yes. But if there is a bad developer, and if he/she have to check all code that uses URI data and have to add validation for them, it costs much.
The reason will be displayed to describe this comment to others. Learn more.
The preg_replace isn't correct, since that would convert /this./that./ to /this/that/, the dots are stripped, which is why I started by reverting that commit.
I wonder if this is much of an issue, since the URI in Fuel isn't used for directory traversal at all, it is passed as a parameter to index.php.
Even worse, since most people start there rewrite rules with a -D and -F check before rewriting to index.php, a URL with ../ in it that resolves to an existing file will never be passed on to Fuel.
The reason will be displayed to describe this comment to others. Learn more.
You will see that if you try a URL like http://example.org/../../../../etc/passwd, the webserver does a sort of realpath(), and will convert it to http://example.org/etc/passwd which will be rewritten to index.php?etc/passwd.
Unless in your app the controller method Etc::action_passwd() exists, this will lead to a 404 exception.
The reason will be displayed to describe this comment to others. Learn more.
I would even say we should completely remove this, since it doesn't bring anything in terms of security, and it potentially strips data, since URI segments are (or can be) used to pass parameters.
b83b52a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stevewest @frankdejonge Any idea what the rationale behind this change was?
The original removed double slashes and
../
parent directory references from the URI, the new code simply strips all dots when followed by a slash, which I think is not what should happen here. Am I correct?b83b52a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wow, this is old code. And I am not sure I really see the advantage here, has an issue come up regarding this?
b83b52a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, there's an issue posted on the forum, where someone needs to use a URI like
/controller/method/param1./param2./param3
, and the dots are stripped of the URI segments...b83b52a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In that case unless @frankdejonge can shed any light on this I'd say we go back to the old behaviour. Either that or the person having an issue has to re-think their design a little.
b83b52a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really sure why we need to filter this anyway. Fuel URI's don't point to a position on disk, they are controller method mappings, so having a URI like
/controller/../../../../../../etc/passwd
would simply not do anything...Even worse, standard rewriting first checks if the request points to an existing file or directory. So if a URI can be crafted to (in this example) access the password file, the request wouldn't even reach Fuel...
b83b52a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose it could be a possible issue if the uri parameter in the route has a greedy regex and the parameter is passed through to something that loads a file. But arguably that's also a bad developer issue.
b83b52a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exactly, then you're talking about either segments as input, or get variables as input. Both should be validated separate from the URI.
b83b52a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, in that case I don't think I have any issue with changing this behaviour.
b83b52a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
b83b52a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we want to avoid string
../
, the previous code is not enough.The results:
All input data should be validated before using them, even if it comes from URI string.
But Fuel provides URI security, so users may forget the validations for URI data.
If you change the code, it may be BC break.
Yes. But if there is a bad developer, and if he/she have to check all code that uses URI data and have to add validation for them, it costs much.
b83b52a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The preg_replace isn't correct, since that would convert
/this./that./
to/this/that/
, the dots are stripped, which is why I started by reverting that commit.I wonder if this is much of an issue, since the URI in Fuel isn't used for directory traversal at all, it is passed as a parameter to index.php.
Even worse, since most people start there rewrite rules with a -D and -F check before rewriting to index.php, a URL with
../
in it that resolves to an existing file will never be passed on to Fuel.b83b52a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You will see that if you try a URL like
http://example.org/../../../../etc/passwd
, the webserver does a sort of realpath(), and will convert it tohttp://example.org/etc/passwd
which will be rewritten toindex.php?etc/passwd
.Unless in your app the controller method
Etc::action_passwd()
exists, this will lead to a 404 exception.b83b52a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would even say we should completely remove this, since it doesn't bring anything in terms of security, and it potentially strips data, since URI segments are (or can be) used to pass parameters.