Item13237: Foswiki.pm calls Users::loadSession with tainted ENV{PATH}
Priority: Normal
Current State: Closed
Released In: 2.0.0
Target Release: major
Applies To: Engine
Component:
Branches: master
I was able to fix the issue with the following change to ensure ENV has been untainted in case loadSession uses it.
diff -u Foswiki.pm.orig Foswiki.pm
--- Foswiki.pm.orig 2015-01-28 10:28:34.971938969 -0800
+++ Foswiki.pm 2015-01-28 10:28:15.722364621 -0800
@@ -1784,8 +1784,6 @@
}
ASSERT( $this->{urlHost} ) if DEBUG;
- # Load (or create) the CGI session
- $this->{remoteUser} = $this->{users}->loadSession($defaultUser);
# Make %ENV safer, preventing hijack of the search path. The
# environment is set per-query, so this can't be done in a BEGIN.
@@ -1801,6 +1799,8 @@
$ENV{PATH} = Foswiki::Sandbox::untaintUnchecked( $ENV{PATH} );
}
delete @ENV{qw( IFS CDPATH ENV BASH_ENV )};
+ # Load (or create) the CGI session
+ $this->{remoteUser} = $this->{users}->loadSession($defaultUser);
if ( $Foswiki::cfg{GetScriptUrlFromCgi}
&& $url
--
DavidM - 28 Jan 2015
Thanks for debugging this and the proposed fix. Finding subtle tainting issues can be a challenge. Applied to 1.2, but much earlier in the initialization.
--
GeorgeClark - 28 Jan 2015