Skip to content

[6.32] [http] sanitize URL options before use them#22361

Merged
linev merged 6 commits into
root-project:v6-32-00-patchesfrom
linev:http_sanity_632
May 21, 2026
Merged

[6.32] [http] sanitize URL options before use them#22361
linev merged 6 commits into
root-project:v6-32-00-patchesfrom
linev:http_sanity_632

Conversation

@linev
Copy link
Copy Markdown
Member

@linev linev commented May 21, 2026

Backport of #22186

linev added 6 commits May 21, 2026 07:45
@linev
[http] cleanup URL option before usage
780e2fe 
Remove any special symbols
Add escape characters for quote and escape itself
Discard all URL options longer than 1K

Try to avoid manipulation of arguments for method execution
@linev
[http] cleanup draw option in image production
a323de3 
Avoid special characters as draw arguments
@linev
[http] strictly check arguments in ProduceExe
af56256 
Always use DecodeUrlOptionValue method when processing URL arguments
or URL string. Internally method provides escape symbols for quotes and backslash.
If expecting numeric value - remove all symbols
keeping alphanumeric, '.', '+', '-' and ':'
@linev
[http] introduce fAllowPostObject flag
91715e5 
It allows to deserialize post data as ROOT object when processing exe.json request.
While this can leads to arbitrary code loading and injection, disable this feature by default.
Can be enabled back with:
 ```
serv->SetAllowPostObject(kTRUE);
```
@linev
[http] analyze arguments of cmd.json
26c09b4 
While here arbitrary string injected into ProcessLine,
ensure that only numeric argument is not quoted.
All other arguments kinds will be quoted and prevent execution of potentially dangerous code
@linev
[test] add ROOT sniffer testing
c2eec23 
Verify execution of several supported requests
which can be handled by http server. Testing:
   - root.json
   - root.xml
   - file.root
   - exe.json
   - exe.json with POST data
   - item.json
   - cmd.json
   - multi.json

Also verify basic functionality of
TRootSniffer::DecodeUrlOptionValue method
@linev linev self-assigned this May 21, 2026
@linev linev requested a review from bellenot as a code owner May 21, 2026 05:46
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 21, 2026

Test Results

     6 files       6 suites   20h 3m 1s ⏱️
 2 563 tests  2 563 ✅ 0 💤 0 ❌
14 963 runs  14 963 ✅ 0 💤 0 ❌

Results for commit c2eec23.

@linev linev merged commit 328b3ec into root-project:v6-32-00-patches May 21, 2026
8 of 9 checks passed
@linev linev deleted the http_sanity_632 branch May 21, 2026 10:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bellenot bellenot Awaiting requested review from bellenot bellenot is a code owner

Assignees

@linev linev

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@linev