Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Correct occurrences of (needle,haystack) to (haystack,needle) in strpos file validation #2953

Merged
merged 1 commit into from
Jul 20, 2017
Merged

[Security] Correct occurrences of (needle,haystack) to (haystack,needle) in strpos file validation #2953

merged 1 commit into from
Jul 20, 2017

Conversation

johnsaigle
Copy link
Contributor

@johnsaigle johnsaigle commented Jul 17, 2017
edited
Loading

This pull request fixes several errors where code used to prevent path traversal was incorrectly using needle-haystack syntax instead of haystack-needle for the strpos function.

In order to prevent this occurring in the future, I strongly suggest that we merge #2918 and use the resolvePath() function for the prevention of path traversal. However, this PR addresses the immediate problem and should provide some hardening until the 2918 is merged and can be applied throughout the codebase.

The below changes were made based on executing grep -nr "strpos(\".." . in the LORIS root and modifying each of the results (excluding the .vendor results).

Broken access control has been tested and confirmed on GetStatic.php, GetJs.php and data_release.

See also:

@johnsaigle johnsaigle added Category: Bug PR or issue that aims to report or fix a bug Release: Breaking changes PR that contains changes that might impact the code or accepted practices of active projects labels Jul 17, 2017
@johnsaigle johnsaigle added this to the 17.0 milestone Jul 17, 2017
@johnsaigle johnsaigle mentioned this pull request Jul 17, 2017
Closed
driusan
driusan previously requested changes Jul 18, 2017
View reviewed changes
Copy link
Collaborator

@driusan driusan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's 5 commits unrelated to this change in the PR, can you fix the branch to only have the relevant commits?

@johnsaigle
Copy link
Contributor Author

@driusan
Yep will do so this afternoon

@johnsaigle johnsaigle self-assigned this Jul 18, 2017
@johnsaigle
Copy link
Contributor Author

@driusan The extraneous commits were removed. Could you update your review?

@driusan driusan dismissed their stale review July 18, 2017 18:05

was fixed

@Jkat
Copy link
Contributor

Jkat commented Jul 19, 2017

This and #2948 can be merged

@kongtiaowang kongtiaowang added the Passed manual tests PR has been successfully tested by at least one peer label Jul 19, 2017
@driusan driusan merged commit 6d67bd6 into aces:17.0-dev Jul 20, 2017
@johnsaigle johnsaigle mentioned this pull request Nov 24, 2017
Closed
1 task
@johnsaigle johnsaigle added the Category: Security PR or issue that aims to improve security label Jul 23, 2018
@johnsaigle johnsaigle mentioned this pull request Aug 15, 2018
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jkat Jkat Jkat approved these changes

@driusan driusan driusan left review comments

Assignees

@johnsaigle johnsaigle

Labels
Category: Bug PR or issue that aims to report or fix a bug Category: Security PR or issue that aims to improve security Passed manual tests PR has been successfully tested by at least one peer Release: Breaking changes PR that contains changes that might impact the code or accepted practices of active projects
Projects
None yet
Milestone
17.0
Development

Successfully merging this pull request may close these issues.
4 participants
@johnsaigle @Jkat @driusan @kongtiaowang