Item13048: Security issues with Windows and attachment name extensions
Priority: Security
Current State: Closed
Released In: 2.0.0
Target Release: major
--
GeorgeClark - 07 Oct 2014
The current
UploadFilter regex, written out for readability:
(?^:
^
(\\.htaccess |
.*\\.(?i)
(?:
php[0-9s]?(\\..*)? |
[sp]htm[l]?(\\..*)? |
pl |
py |
cgi
) # Add a ? Here to make the extension optional on Windows systems
)
$)
--
GeorgeClark - 07 Oct 2014
Unit test for the proposed fix:
sub test_illegal_upload_Item13048 {
my $this = shift;
local $/ = undef;
my $data = 'asdfasdf';
my ( $goodfilename, $badfilename ) =
Foswiki::Sandbox::sanitizeAttachmentName("\0.htaccess.");
# Verify that the sanitize process:
# - Removes the leading binary zero
# - Converts the trailing (dot) to ..txt. Windows silently strips trailing dot from filenames
$this->assert_str_equals( '.htaccess..txt', $goodfilename );
try {
$this->do_upload(
$badfilename,
$data,
undef,
hidefile => 0,
filecomment => 'Elucidate the goose',
createlink => 0,
changeproperties => 0
);
$this->assert(0);
}
catch Foswiki::OopsException with {
my $e = shift;
$this->assert_str_equals( $goodfilename, $e->{params}[1] );
$this->assert_str_equals( "upload_name_changed", $e->{def} );
};
return;
}
--
GeorgeClark - 07 Oct 2014
This test FAILS if the
UploadFilter regex is codes as a qr/ / style regex. It gets pre-compiled as case sensitive matching.
# Test that filter is not case sensitive.
( $goodfilename, $badfilename ) =
Foswiki::Sandbox::sanitizeAttachmentName(".HTAccess");
$this->assert_str_equals( '.HTAccess.txt', $goodfilename );
try {
$this->do_upload(
$badfilename,
$data,
undef,
hidefile => 0,
filecomment => 'Elucidate the goose',
createlink => 0,
changeproperties => 0
);
$this->assert(0);
}
catch Foswiki::OopsException with {
my $e = shift;
$this->assert_str_equals( $goodfilename, $e->{params}[1] );
$this->assert_str_equals( "upload_name_changed", $e->{def} );
};
--
GeorgeClark - 08 Oct 2014