Loading ...
Sorry, an error occurred while loading the content.

Re: [soaplite] Re: Preventing package name traversal attacks

Expand Messages
  • Tom Mornini
    ... does that mean you agree that the immediate fix is: on_dispatch(sub { die Access denied if $_[2] =~ /:| / }) does on_dispatch receive the same parameter
    Message 1 of 6 , Apr 10, 2002
    • 0 Attachment
      On Wednesday, April 10, 2002, at 07:42 AM, Paul Kulchenko wrote:

      > --- "Randy J. Ray" <rjray@...> wrote:
      > > -> on_action(sub { die "Access denied\n" if $_[2] =~
      > /:|'/ })<BR>
      >
      > >While looking into this last night, I was thinking that the
      > >on_dispatch() handler might be a better way to go-- it gets run
      > >earlier than the on_action() handler does. Plus, it seems to make
      > >more send to my (sleep-deprived) brain, since I would expect the
      > >on_action() hook to accompany an action that is taking place, not
      > >prevent one at the last minute. But I guess it's just a
      > >matter of taste, as to which you use.
      >
      > That's true. Actual patch does it inside the handler, so you don't
      > need to do anything in your code.

      does that mean you agree that the immediate fix is:

      on_dispatch(sub { die 'Access denied' if $_[2] =~ /:|'/ })

      does on_dispatch receive the same parameter list as on_action?

      --
      -- Tom Mornini
      -- InfoMania Printing and Prepress
      --
      -- ICQ: 113526784, AOL: tmornini, Yahoo: tmornini, MSN: tmornini
    • Ilya Martynov
      ... TM That s true. Actual patch does it inside the handler, so you don t TM need to do anything in your code. TM does that mean you agree that the
      Message 2 of 6 , Apr 10, 2002
      • 0 Attachment
        >>>>> On Wed, 10 Apr 2002 09:04:35 -0700, Tom Mornini <tmornini@...> said:

        TM> That's true. Actual patch does it inside the handler, so you don't
        TM> need to do anything in your code.

        TM> does that mean you agree that the immediate fix is:

        TM> on_dispatch(sub { die 'Access denied' if $_[2] =~ /:|'/ })

        TM> does on_dispatch receive the same parameter list as on_action?

        According sources it seems that on_dispatch gets only one parameter:
        request object.

        So fix should look like

        on_dispatch(sub {
        die 'Access denied'
        if shift->dataof->name =~ /:|'/
        })

        --
        Ilya Martynov (http://martynov.org/)
      • Tom Mornini
        ... Thanks! I ve implemented that and it works as expected. Does the same thing need to be done to XMLRPC::Lite? -- -- Tom Mornini -- eWingz Systems, Inc. --
        Message 3 of 6 , Apr 10, 2002
        • 0 Attachment
          On Wednesday, April 10, 2002, at 11:14 AM, Ilya Martynov wrote:

          > >>>>> On Wed, 10 Apr 2002 09:04:35 -0700, Tom Mornini
          > <tmornini@...> said:
          >
          > TM> That's true. Actual patch does it inside the handler, so you don't
          > TM> need to do anything in your code.
          >
          > TM> does that mean you agree that the immediate fix is:
          >
          > TM> on_dispatch(sub { die 'Access denied' if $_[2] =~ /:|'/ })
          >
          > TM> does on_dispatch receive the same parameter list as on_action?
          >
          > According sources it seems that on_dispatch gets only one parameter:
          > request object.
          >
          > So fix should look like
          >
          >     on_dispatch(sub {
          >                         die 'Access denied'
          >                             if shift->dataof->name =~ /:|'/
          >                })

          Thanks! I've implemented that and it works as expected.

          Does the same thing need to be done to XMLRPC::Lite?

          --
          -- Tom Mornini
          -- eWingz Systems, Inc.
          --
          -- ICQ: 113526784, AOL: tmornini, Yahoo: tmornini, MSN: tmornini
        • Ilya Martynov
          ... IM According sources it seems that on_dispatch gets only one parameter: IM request object. IM So fix should look like IM     on_dispatch(sub { IM
          Message 4 of 6 , Apr 10, 2002
          • 0 Attachment
            >>>>> On Wed, 10 Apr 2002 14:03:43 -0700, Tom Mornini <tmornini@...> said:

            IM> According sources it seems that on_dispatch gets only one parameter:
            IM> request object.

            IM> So fix should look like

            IM> ��� on_dispatch(sub {
            IM> ����������������������� die 'Access denied'
            IM> ��������������������������� if shift->dataof->name =~ /:|'/
            IM> �������������� })

            TM> Thanks! I've implemented that and it works as expected.

            TM> Does the same thing need to be done to XMLRPC::Lite?

            XMLRPC::Lite looks like vulnerable because it heavily relies on
            SOAP::Lite code (i.e. XMLRPC::Lite mostly is just collection of
            subclasses of various SOAP::Lite classes).

            I think is not possible to use this on_dispatch handler for
            XMLRPC::Lite::Server objects because unlike SOAP::Server they have
            on_dispatch handler by default. Were it overrided with another it may
            break XMLRPC::Lite functionality. I'm not sure. I've not tested it
            yet. For now it should be safer either use on_action handler or patch
            posted earlier.

            --
            Ilya Martynov (http://martynov.org/)
          Your message has been successfully submitted and would be delivered to recipients shortly.