On Tuesday 10:40 AM 8/19/2008, Jim Davidson wrote:
I would suggest
the code snippet of create temp file and use fastpath to return
contents is not a use case I was solving for or recommend.
It's also not the use case in question--just a simple illustration of the
problem. Here's a more realistic template of a use case (which closely
mirrors the actual code that led to the discovery of the bug):
eval exec /some/external/program --output-file $tempfile
ns_returnfile 200 text/plain $tempfile
ns_unlink -nocomplain $tempfile
In other words, run an external program that writes its output to
$tempfile, return that file to the user, and delete the file. This is a
case in which ns_returnfile seems like the obvious and appropriate
call--but if this procedure is run on behalf of users A and B within the
same second (which is common on an active web server), and the results in
$tempfile are the same length, B will get A's output. Depending on what
information the external program writes to $tempfile, this could easily
represent a security breach.
That example involves timing between two different users, but something
like the following will also trigger the bug:
foreach user $users {
eval exec /some/external/program --output-file $tempfile --user
$user
ns_returnfile 200 text/plain $tempfile
}
Again, this code looks perfectly appropriate, but it's very likely to
return incorrect data due to this bug. Note that the ns_unlink isn't even
required in this case.
Also, regarding "use fastpath to return content": the developer in this
case didn't know fastpath from a hole in the ground--after all, they were
calling ns_returnfile, not fastpath. fastpath is just the
behind-the-scenes mechanism that was making "ns_returnfile X" return a
file other than X. And generally speaking, I'd say it's perfectly
reasonable for a developer to believe that "ns_returnfile X" actually will
return file X.
- John
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]>
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
