Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"ZPublisher.HTTPRequest": minor security risk: tainted value access not reliable #630

Closed
d-maurer opened this issue May 16, 2019 · 2 comments · Fixed by #633
Closed

"ZPublisher.HTTPRequest": minor security risk: tainted value access not reliable #630

d-maurer opened this issue May 16, 2019 · 2 comments · Fixed by #633
Labels
bug
Projects
Zope 4 bugfix
Milestone
4.1

Comments

@d-maurer
Copy link
Contributor

HTTPRequest takes immense efforts to mark unsafe values as "tainted" - but gets unsafe via caching in other.
Assume that access to the request variable "x" is unsafe. If the first access to "x" is with HTTPRequest.get(...returnTaints=True...), then all accesses to "x" deliver a value marked as tainted. However, if the first access is with returnTaints=False, then all accesses deliver a value without "taint mark" (because the first access caches the returned value in other and the other lookup no longer honours returnTaints).
@d-maurer d-maurer added the bug label May 16, 2019
@icemac
Copy link
Member

icemac commented May 17, 2019

Are there any ideas how to fix this issue?

@icemac icemac added this to To do in Zope 4 bugfix via automation May 17, 2019
@icemac icemac added this to the 4.0.1 milestone May 17, 2019
@d-maurer
Copy link
Contributor Author

d-maurer commented May 17, 2019 via email

d-maurer added a commit that referenced this issue May 18, 2019
@d-maurer
do not cache (implicit) request access to form data or cookies in `ot…
7095f8b 
…her`: #630
@d-maurer d-maurer mentioned this issue May 18, 2019
Merged
Zope 4 bugfix automation moved this from To do to Done May 18, 2019
dataflake pushed a commit that referenced this issue May 18, 2019
@d-maurer @dataflake
Do not cache (implicit) request access to form data or cookies (#633)
71fc5e1 
* do not cache (implicit) request access to form data or cookies in `other`: #630

* remove comments as requested by @dataflake

* - smuggling a small web link fix into Dieter's PR
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
Zope 4 bugfix
  
Done
Milestone
4.1
Development

Successfully merging a pull request may close this issue.

Do not cache (implicit) request access to form data or cookies zopefoundation/Zope
2 participants
@icemac @d-maurer