Loading ...
Sorry, an error occurred while loading the content.

Re: [soaplite] Re: Preventing package name traversal attacks

Expand Messages
  • Ilya Martynov
    ... TM That s true. Actual patch does it inside the handler, so you don t TM need to do anything in your code. TM does that mean you agree that the
    Message 1 of 6 , Apr 10, 2002
    • 0 Attachment
      >>>>> On Wed, 10 Apr 2002 09:04:35 -0700, Tom Mornini <tmornini@...> said:

      TM> That's true. Actual patch does it inside the handler, so you don't
      TM> need to do anything in your code.

      TM> does that mean you agree that the immediate fix is:

      TM> on_dispatch(sub { die 'Access denied' if $_[2] =~ /:|'/ })

      TM> does on_dispatch receive the same parameter list as on_action?

      According sources it seems that on_dispatch gets only one parameter:
      request object.

      So fix should look like

      on_dispatch(sub {
      die 'Access denied'
      if shift->dataof->name =~ /:|'/
      })

      --
      Ilya Martynov (http://martynov.org/)
    • Tom Mornini
      ... Thanks! I ve implemented that and it works as expected. Does the same thing need to be done to XMLRPC::Lite? -- -- Tom Mornini -- eWingz Systems, Inc. --
      Message 2 of 6 , Apr 10, 2002
      • 0 Attachment
        On Wednesday, April 10, 2002, at 11:14 AM, Ilya Martynov wrote:

        > >>>>> On Wed, 10 Apr 2002 09:04:35 -0700, Tom Mornini
        > <tmornini@...> said:
        >
        > TM> That's true. Actual patch does it inside the handler, so you don't
        > TM> need to do anything in your code.
        >
        > TM> does that mean you agree that the immediate fix is:
        >
        > TM> on_dispatch(sub { die 'Access denied' if $_[2] =~ /:|'/ })
        >
        > TM> does on_dispatch receive the same parameter list as on_action?
        >
        > According sources it seems that on_dispatch gets only one parameter:
        > request object.
        >
        > So fix should look like
        >
        >     on_dispatch(sub {
        >                         die 'Access denied'
        >                             if shift->dataof->name =~ /:|'/
        >                })

        Thanks! I've implemented that and it works as expected.

        Does the same thing need to be done to XMLRPC::Lite?

        --
        -- Tom Mornini
        -- eWingz Systems, Inc.
        --
        -- ICQ: 113526784, AOL: tmornini, Yahoo: tmornini, MSN: tmornini
      • Ilya Martynov
        ... IM According sources it seems that on_dispatch gets only one parameter: IM request object. IM So fix should look like IM     on_dispatch(sub { IM
        Message 3 of 6 , Apr 10, 2002
        • 0 Attachment
          >>>>> On Wed, 10 Apr 2002 14:03:43 -0700, Tom Mornini <tmornini@...> said:

          IM> According sources it seems that on_dispatch gets only one parameter:
          IM> request object.

          IM> So fix should look like

          IM> ��� on_dispatch(sub {
          IM> ����������������������� die 'Access denied'
          IM> ��������������������������� if shift->dataof->name =~ /:|'/
          IM> �������������� })

          TM> Thanks! I've implemented that and it works as expected.

          TM> Does the same thing need to be done to XMLRPC::Lite?

          XMLRPC::Lite looks like vulnerable because it heavily relies on
          SOAP::Lite code (i.e. XMLRPC::Lite mostly is just collection of
          subclasses of various SOAP::Lite classes).

          I think is not possible to use this on_dispatch handler for
          XMLRPC::Lite::Server objects because unlike SOAP::Server they have
          on_dispatch handler by default. Were it overrided with another it may
          break XMLRPC::Lite functionality. I'm not sure. I've not tested it
          yet. For now it should be safer either use on_action handler or patch
          posted earlier.

          --
          Ilya Martynov (http://martynov.org/)
        Your message has been successfully submitted and would be delivered to recipients shortly.