Loading ...
Sorry, an error occurred while loading the content.

Re: [soaplite] Re: Preventing package name traversal attacks

Expand Messages
  • Randy J. Ray
    ... Paul To disable it on server side you may use on_action handler: - on_action(sub { die Access denied n if $_[2] =~ /:| / }) While looking into this
    Message 1 of 6 , Apr 10 3:09 AM
    View Source
    • 0 Attachment
      >>>>> "Paul" == Paul Kulchenko <paulclinger@...>
      >>>>> wrote the following on Tue, 9 Apr 2002 23:38:16 -0700 (PDT)

      Paul> To disable it on server side you may use on_action handler:

      -> on_action(sub { die "Access denied\n" if $_[2] =~ /:|'/ })

      While looking into this last night, I was thinking that the on_dispatch()
      handler might be a better way to go-- it gets run earlier than the on_action()
      handler does. Plus, it seems to make more send to my (sleep-deprived) brain,
      since I would expect the on_action() hook to accompany an action that is
      taking place, not prevent one at the last minute. But I guess it's just a
      matter of taste, as to which you use.

      Randy (yes, recently joined the list :-)
      --
      """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
      Randy J. Ray rjray@...
      Campbell, CA rjray@...
      <A HREF="http://www.svsm.org">Silicon Valley Scale Modelers</A>
    • Paul Kulchenko
      Hi, Randy! ... /:| / }) ... That s true. Actual patch does it inside the handler, so you don t need to do anything in your code. Best wishes, Paul.
      Message 2 of 6 , Apr 10 7:42 AM
      View Source
      • 0 Attachment
        Hi, Randy!

        --- "Randy J. Ray" <rjray@...> wrote:
        > -> on_action(sub { die "Access denied\n" if $_[2] =~
        /:|'/ })<BR>

        >While looking into this last night, I was thinking that the
        >on_dispatch() handler might be a better way to go-- it gets run
        >earlier than the on_action() handler does. Plus, it seems to make
        >more send to my (sleep-deprived) brain, since I would expect the
        >on_action() hook to accompany an action that is taking place, not
        >prevent one at the last minute. But I guess it's just a
        >matter of taste, as to which you use.
        That's true. Actual patch does it inside the handler, so you don't
        need to do anything in your code.

        Best wishes, Paul.

        __________________________________________________
        Do You Yahoo!?
        Yahoo! Tax Center - online filing with TurboTax
        http://taxes.yahoo.com/
      • Tom Mornini
        ... does that mean you agree that the immediate fix is: on_dispatch(sub { die Access denied if $_[2] =~ /:| / }) does on_dispatch receive the same parameter
        Message 3 of 6 , Apr 10 9:04 AM
        View Source
        • 0 Attachment
          On Wednesday, April 10, 2002, at 07:42 AM, Paul Kulchenko wrote:

          > --- "Randy J. Ray" <rjray@...> wrote:
          > > -> on_action(sub { die "Access denied\n" if $_[2] =~
          > /:|'/ })<BR>
          >
          > >While looking into this last night, I was thinking that the
          > >on_dispatch() handler might be a better way to go-- it gets run
          > >earlier than the on_action() handler does. Plus, it seems to make
          > >more send to my (sleep-deprived) brain, since I would expect the
          > >on_action() hook to accompany an action that is taking place, not
          > >prevent one at the last minute. But I guess it's just a
          > >matter of taste, as to which you use.
          >
          > That's true. Actual patch does it inside the handler, so you don't
          > need to do anything in your code.

          does that mean you agree that the immediate fix is:

          on_dispatch(sub { die 'Access denied' if $_[2] =~ /:|'/ })

          does on_dispatch receive the same parameter list as on_action?

          --
          -- Tom Mornini
          -- InfoMania Printing and Prepress
          --
          -- ICQ: 113526784, AOL: tmornini, Yahoo: tmornini, MSN: tmornini
        • Ilya Martynov
          ... TM That s true. Actual patch does it inside the handler, so you don t TM need to do anything in your code. TM does that mean you agree that the
          Message 4 of 6 , Apr 10 11:14 AM
          View Source
          • 0 Attachment
            >>>>> On Wed, 10 Apr 2002 09:04:35 -0700, Tom Mornini <tmornini@...> said:

            TM> That's true. Actual patch does it inside the handler, so you don't
            TM> need to do anything in your code.

            TM> does that mean you agree that the immediate fix is:

            TM> on_dispatch(sub { die 'Access denied' if $_[2] =~ /:|'/ })

            TM> does on_dispatch receive the same parameter list as on_action?

            According sources it seems that on_dispatch gets only one parameter:
            request object.

            So fix should look like

            on_dispatch(sub {
            die 'Access denied'
            if shift->dataof->name =~ /:|'/
            })

            --
            Ilya Martynov (http://martynov.org/)
          • Tom Mornini
            ... Thanks! I ve implemented that and it works as expected. Does the same thing need to be done to XMLRPC::Lite? -- -- Tom Mornini -- eWingz Systems, Inc. --
            Message 5 of 6 , Apr 10 2:03 PM
            View Source
            • 0 Attachment
              On Wednesday, April 10, 2002, at 11:14 AM, Ilya Martynov wrote:

              > >>>>> On Wed, 10 Apr 2002 09:04:35 -0700, Tom Mornini
              > <tmornini@...> said:
              >
              > TM> That's true. Actual patch does it inside the handler, so you don't
              > TM> need to do anything in your code.
              >
              > TM> does that mean you agree that the immediate fix is:
              >
              > TM> on_dispatch(sub { die 'Access denied' if $_[2] =~ /:|'/ })
              >
              > TM> does on_dispatch receive the same parameter list as on_action?
              >
              > According sources it seems that on_dispatch gets only one parameter:
              > request object.
              >
              > So fix should look like
              >
              >     on_dispatch(sub {
              >                         die 'Access denied'
              >                             if shift->dataof->name =~ /:|'/
              >                })

              Thanks! I've implemented that and it works as expected.

              Does the same thing need to be done to XMLRPC::Lite?

              --
              -- Tom Mornini
              -- eWingz Systems, Inc.
              --
              -- ICQ: 113526784, AOL: tmornini, Yahoo: tmornini, MSN: tmornini
            • Ilya Martynov
              ... IM According sources it seems that on_dispatch gets only one parameter: IM request object. IM So fix should look like IM     on_dispatch(sub { IM
              Message 6 of 6 , Apr 10 3:24 PM
              View Source
              • 0 Attachment
                >>>>> On Wed, 10 Apr 2002 14:03:43 -0700, Tom Mornini <tmornini@...> said:

                IM> According sources it seems that on_dispatch gets only one parameter:
                IM> request object.

                IM> So fix should look like

                IM> ��� on_dispatch(sub {
                IM> ����������������������� die 'Access denied'
                IM> ��������������������������� if shift->dataof->name =~ /:|'/
                IM> �������������� })

                TM> Thanks! I've implemented that and it works as expected.

                TM> Does the same thing need to be done to XMLRPC::Lite?

                XMLRPC::Lite looks like vulnerable because it heavily relies on
                SOAP::Lite code (i.e. XMLRPC::Lite mostly is just collection of
                subclasses of various SOAP::Lite classes).

                I think is not possible to use this on_dispatch handler for
                XMLRPC::Lite::Server objects because unlike SOAP::Server they have
                on_dispatch handler by default. Were it overrided with another it may
                break XMLRPC::Lite functionality. I'm not sure. I've not tested it
                yet. For now it should be safer either use on_action handler or patch
                posted earlier.

                --
                Ilya Martynov (http://martynov.org/)
              Your message has been successfully submitted and would be delivered to recipients shortly.