Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sanitize ScoringDownload getFile parameter. Fixes bug #3793 #748

Merged
merged 2 commits into from Jun 21, 2017

Conversation

Projects
None yet
2 participants
@mgage
Copy link
Member

mgage commented Nov 4, 2016

This fixes at least part of bug #3793. Now the file name cannot contain / which prevents the exploit described in #3793

@mgage

This comment has been minimized.

Copy link
Member Author

mgage commented Nov 4, 2016

To test: Enter the following url as per bug #3793:

https://webwork.swarthmore.edu/webwork2/coursename/instructor/scoringDownload?getFile=../../../../../etc/passwd

You should get an error complaining about the path components.

@mgage mgage requested review from aubreyja, pstaabp, dlglin and jwj61 Jun 15, 2017

@pstaabp

This comment has been minimized.

Copy link
Member

pstaabp commented Jun 15, 2017

Looks like anything with a / generates an error. I also tried a ~ such as ?getFile=~pstaab and we get a 404 error. Should we say the same error for that as well?

@mgage

This comment has been minimized.

Copy link
Member Author

mgage commented Jun 21, 2017

OK. I added a check for ~ anywhere in the "filename". Anything else?

@pstaabp pstaabp merged commit 94b4a42 into openwebwork:master Jun 21, 2017

@mgage mgage referenced this pull request Jun 21, 2017

Open

Current summary of items to fix for ww2.13 release #776

17 of 19 tasks complete

@mgage mgage deleted the mgage:scoringDownloadBug branch Jun 25, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.