MessageSource::getMessageFilePath() - filename injection #18912
Comments
|
Is there any place where end user could provide the language directly and that message would pop up? I cannot find such case. |
|
Yii don't have "fools protection" |
|
@bizley the case is any website that provides language selection on UI |
|
@uaoleg you must escape ANY user data - it's contained in ANY security guide |
|
@WinterSilence no, I should not. For example if user has name |
|
@uaoleg read more about second-order SQL injection |
Since the framework is not using that value (I mean "provided by user") directly we rely on the developer to validate it when passing to the component. |
|
@bizley it's not obvious that this property is used as a part of filepath. I'll create a simple PR which will fix this issue yii2/framework/base/Application.php Line 116 in 435b6dc |
|
Hm, ok, please do. Maybe we need to add some more clarification for that. |
|
We should escape it. Something like |
|
Created a PR #18913 |
|
@samdark class must generate error instead escape: |
|
Agree 👍 |
|
@uaoleg would you please adjust the pull request? It should throw |
|
@samdark done |
Yii::$app->language can contain any string, and this string is directly passed into MessageSource::getMessageFilePath() and used in filename without any validation:
yii2/framework/i18n/PhpMessageSource.php
Line 135 in 435b6dc
That could be a potetial security issue:
The message file for category 'yii' does not exist: /var/www/app/vendor/yiisoft/yii2/messages/"><script >alert(String.fromCharCode(88,83,83))</script>/yii.php Fallback file does not exist as well: /var/www/app/vendor/yiisoft/yii2/messages/">/yii.phpThe text was updated successfully, but these errors were encountered: