Loading ...
Sorry, an error occurred while loading the content.

Re: [soaplite] Re: Preventing package name traversal attacks

Expand Messages
  • Paul Kulchenko
    Hi, Randy! ... /:| / }) ... That s true. Actual patch does it inside the handler, so you don t need to do anything in your code. Best wishes, Paul.
    Message 1 of 6 , Apr 10, 2002
    • 0 Attachment
      Hi, Randy!

      --- "Randy J. Ray" <rjray@...> wrote:
      > -> on_action(sub { die "Access denied\n" if $_[2] =~
      /:|'/ })<BR>

      >While looking into this last night, I was thinking that the
      >on_dispatch() handler might be a better way to go-- it gets run
      >earlier than the on_action() handler does. Plus, it seems to make
      >more send to my (sleep-deprived) brain, since I would expect the
      >on_action() hook to accompany an action that is taking place, not
      >prevent one at the last minute. But I guess it's just a
      >matter of taste, as to which you use.
      That's true. Actual patch does it inside the handler, so you don't
      need to do anything in your code.

      Best wishes, Paul.

      __________________________________________________
      Do You Yahoo!?
      Yahoo! Tax Center - online filing with TurboTax
      http://taxes.yahoo.com/
    • Tom Mornini
      ... does that mean you agree that the immediate fix is: on_dispatch(sub { die Access denied if $_[2] =~ /:| / }) does on_dispatch receive the same parameter
      Message 2 of 6 , Apr 10, 2002
      • 0 Attachment
        On Wednesday, April 10, 2002, at 07:42 AM, Paul Kulchenko wrote:

        > --- "Randy J. Ray" <rjray@...> wrote:
        > > -> on_action(sub { die "Access denied\n" if $_[2] =~
        > /:|'/ })<BR>
        >
        > >While looking into this last night, I was thinking that the
        > >on_dispatch() handler might be a better way to go-- it gets run
        > >earlier than the on_action() handler does. Plus, it seems to make
        > >more send to my (sleep-deprived) brain, since I would expect the
        > >on_action() hook to accompany an action that is taking place, not
        > >prevent one at the last minute. But I guess it's just a
        > >matter of taste, as to which you use.
        >
        > That's true. Actual patch does it inside the handler, so you don't
        > need to do anything in your code.

        does that mean you agree that the immediate fix is:

        on_dispatch(sub { die 'Access denied' if $_[2] =~ /:|'/ })

        does on_dispatch receive the same parameter list as on_action?

        --
        -- Tom Mornini
        -- InfoMania Printing and Prepress
        --
        -- ICQ: 113526784, AOL: tmornini, Yahoo: tmornini, MSN: tmornini
      • Ilya Martynov
        ... TM That s true. Actual patch does it inside the handler, so you don t TM need to do anything in your code. TM does that mean you agree that the
        Message 3 of 6 , Apr 10, 2002
        • 0 Attachment
          >>>>> On Wed, 10 Apr 2002 09:04:35 -0700, Tom Mornini <tmornini@...> said:

          TM> That's true. Actual patch does it inside the handler, so you don't
          TM> need to do anything in your code.

          TM> does that mean you agree that the immediate fix is:

          TM> on_dispatch(sub { die 'Access denied' if $_[2] =~ /:|'/ })

          TM> does on_dispatch receive the same parameter list as on_action?

          According sources it seems that on_dispatch gets only one parameter:
          request object.

          So fix should look like

          on_dispatch(sub {
          die 'Access denied'
          if shift->dataof->name =~ /:|'/
          })

          --
          Ilya Martynov (http://martynov.org/)
        • Tom Mornini
          ... Thanks! I ve implemented that and it works as expected. Does the same thing need to be done to XMLRPC::Lite? -- -- Tom Mornini -- eWingz Systems, Inc. --
          Message 4 of 6 , Apr 10, 2002
          • 0 Attachment
            On Wednesday, April 10, 2002, at 11:14 AM, Ilya Martynov wrote:

            > >>>>> On Wed, 10 Apr 2002 09:04:35 -0700, Tom Mornini
            > <tmornini@...> said:
            >
            > TM> That's true. Actual patch does it inside the handler, so you don't
            > TM> need to do anything in your code.
            >
            > TM> does that mean you agree that the immediate fix is:
            >
            > TM> on_dispatch(sub { die 'Access denied' if $_[2] =~ /:|'/ })
            >
            > TM> does on_dispatch receive the same parameter list as on_action?
            >
            > According sources it seems that on_dispatch gets only one parameter:
            > request object.
            >
            > So fix should look like
            >
            >     on_dispatch(sub {
            >                         die 'Access denied'
            >                             if shift->dataof->name =~ /:|'/
            >                })

            Thanks! I've implemented that and it works as expected.

            Does the same thing need to be done to XMLRPC::Lite?

            --
            -- Tom Mornini
            -- eWingz Systems, Inc.
            --
            -- ICQ: 113526784, AOL: tmornini, Yahoo: tmornini, MSN: tmornini
          • Ilya Martynov
            ... IM According sources it seems that on_dispatch gets only one parameter: IM request object. IM So fix should look like IM     on_dispatch(sub { IM
            Message 5 of 6 , Apr 10, 2002
            • 0 Attachment
              >>>>> On Wed, 10 Apr 2002 14:03:43 -0700, Tom Mornini <tmornini@...> said:

              IM> According sources it seems that on_dispatch gets only one parameter:
              IM> request object.

              IM> So fix should look like

              IM> ��� on_dispatch(sub {
              IM> ����������������������� die 'Access denied'
              IM> ��������������������������� if shift->dataof->name =~ /:|'/
              IM> �������������� })

              TM> Thanks! I've implemented that and it works as expected.

              TM> Does the same thing need to be done to XMLRPC::Lite?

              XMLRPC::Lite looks like vulnerable because it heavily relies on
              SOAP::Lite code (i.e. XMLRPC::Lite mostly is just collection of
              subclasses of various SOAP::Lite classes).

              I think is not possible to use this on_dispatch handler for
              XMLRPC::Lite::Server objects because unlike SOAP::Server they have
              on_dispatch handler by default. Were it overrided with another it may
              break XMLRPC::Lite functionality. I'm not sure. I've not tested it
              yet. For now it should be safer either use on_action handler or patch
              posted earlier.

              --
              Ilya Martynov (http://martynov.org/)
            Your message has been successfully submitted and would be delivered to recipients shortly.