Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"ZPublisher.HTTPRequest": minor security risk: tainted value access not reliable #630

Closed
d-maurer opened this issue May 16, 2019 · 2 comments

Comments

@d-maurer
Copy link
Contributor

commented May 16, 2019

HTTPRequest takes immense efforts to mark unsafe values as "tainted" - but gets unsafe via caching in other.
Assume that access to the request variable "x" is unsafe. If the first access to "x" is with HTTPRequest.get(...returnTaints=True...), then all accesses to "x" deliver a value marked as tainted. However, if the first access is with returnTaints=False, then all accesses deliver a value without "taint mark" (because the first access caches the returned value in other and the other lookup no longer honours returnTaints).

@d-maurer d-maurer added the bug label May 16, 2019

@icemac

This comment has been minimized.

Copy link
Member

commented May 17, 2019

Are there any ideas how to fix this issue?

@icemac icemac added this to To do in Zope 4 bugfix via automation May 17, 2019

@icemac icemac added this to the 4.0.1 milestone May 17, 2019

@d-maurer

This comment has been minimized.

Copy link
Contributor Author

commented May 17, 2019

d-maurer added a commit that referenced this issue May 18, 2019

Zope 4 bugfix automation moved this from To do to Done May 18, 2019

dataflake added a commit that referenced this issue May 18, 2019

Do not cache (implicit) request access to form data or cookies (#633)
* do not cache (implicit) request access to form data or cookies in `other`: #630

* remove comments as requested by @dataflake

* - smuggling a small web link fix into Dieter's PR
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
You can’t perform that action at this time.