New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
notebook: fix massive security vulnerability and get rid of all possible "internal server errors" when doing "Data --> Upload or attach file" #7495
Comments
comment:1
Yes, this is fully exploitable and allows one to delete any file on the server:
With a little more work, one could not only delete any file, but I think replace it by a file of ones choice. That's a pretty massive exploit. So I'm upping this to a blocker and fixing it now. |
comment:2
Can you do a quick grep through the source to see if any os.* functions are used in a like manner in the notebook? |
Attachment: sagenb-7495.patch.gz |
comment:4
Creating a new file with name |
comment:5
Replying to @qed777:
Actually, clicking to delete this file raises the error:
|
Attachment: sagenb-7495.2.patch.gz Version 2. Minor simplifications. Apply only this patch to sagenb repo. |
comment:6
I think the |
Author: William Stein |
comment:7
Anyway, my digression aside, my review is positive, as far as it goes. |
Reviewer: Mitesh Patel |
comment:9
"Anyway, my digression aside, my review is positive, as far as it goes. " so positive review. |
comment:10
merged into sage-4.3 |
Uploading or attaching an empty file or a file that doesn't exist, etc. can cause internal server errors instead of a proper error message.
Moreover, notice these lines in twist.py:
With a properly crafted URL I bet name could contain .. and hence one could make the notebook server delete any file it has access to! This is a critical security vulnerability.
See also #3849 for similar issues when uploading a worksheet.
Component: notebook
Author: William Stein
Reviewer: Mitesh Patel
Issue created by migration from https://trac.sagemath.org/ticket/7495
The text was updated successfully, but these errors were encountered: