Item8868: Security hole in %IF
Priority: Urgent
Current State: Closed
Released In: 1.1.0
Target Release: minor
Applies To: Engine
Component:
Branches:
I just realised that %QUERY it can be used to recover sensitive configuration items. Also %IF can be used to test any configuration item.
--
CrawfordCurrie - 09 Apr 2010
Plugged.
--
CrawfordCurrie - 09 Apr 2010
The way I plugged it is utter shite, as shown by the addition of NAMEFILTER. Let's not release with this. Revert this change, and spec a subset of configuration vars that are accessible via %QUERY
--
CrawfordCurrie - 29 Jun 2010
Done, by filtering the visible vars, and promoting the tech to the query parser proper so it's inherited by
QUERY,
SEARCH and IF. This has the impact that %IF tests on non-exported vars will no longer work, but it's easy to work around if so.
--
CrawfordCurrie - 29 Jun 2010