Loading ...
Sorry, an error occurred while loading the content.

1407Is XMLRPC::Lite vulnerable to traversal attacks?

Expand Messages
  • Tom Mornini
    Apr 10, 2002
    • 0 Attachment
      On Wednesday, April 10, 2002, at 11:14 AM, Ilya Martynov wrote:

      > >>>>> On Wed, 10 Apr 2002 09:04:35 -0700, Tom Mornini
      > <tmornini@...> said:
      >
      > TM> That's true. Actual patch does it inside the handler, so you don't
      > TM> need to do anything in your code.
      >
      > TM> does that mean you agree that the immediate fix is:
      >
      > TM> on_dispatch(sub { die 'Access denied' if $_[2] =~ /:|'/ })
      >
      > TM> does on_dispatch receive the same parameter list as on_action?
      >
      > According sources it seems that on_dispatch gets only one parameter:
      > request object.
      >
      > So fix should look like
      >
      >     on_dispatch(sub {
      >                         die 'Access denied'
      >                             if shift->dataof->name =~ /:|'/
      >                })

      Thanks! I've implemented that and it works as expected.

      Does the same thing need to be done to XMLRPC::Lite?

      --
      -- Tom Mornini
      -- eWingz Systems, Inc.
      --
      -- ICQ: 113526784, AOL: tmornini, Yahoo: tmornini, MSN: tmornini
    • Show all 6 messages in this topic