[
https://issues.apache.org/jira/browse/OODT-657?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13803357#comment-13803357
]
Rishi Verma commented on OODT-657:
----------------------------------
I plan to commit this patch ASAP so that people can begin applying it right
away to systems using web-grid or OODT product handlers.
That being said, the ideal way to fix this issue is to reevaluate the
interfaces that OODT Product Handlers implement to ensure that OFSN validation
always occurs. In other words, I suggest we modify the OFSNGetHandler [1] and
OFSNListHandler [2] interfaces to specify that OFSN objects be passed in to
methods like retrieveChunk and getListing instead of String filepaths. Within a
new OFSN object that we will have to create, we can ensure the constructor
validates the OFSN before the object is created, thus invalid OFSNs cannot
exist by definition. Doing this kind of change to the interfaces mentioned
above will obviously break any implemented handlers - thus the patch I've
applied does not take this approach until we can bring a consensus on this
issue. The problem with the patch though, is any future implemented handlers
(or project-specific handlers people have created independently) will
themselves need to ensure OFSN paths passed in are properly validated - which
might be overlooked by people if they don't know they need to do validation in
the first place.
--
[1]
http://svn.apache.org/repos/asf/oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/OFSNGetHandler.java
[2]
http://svn.apache.org/repos/asf/oodt/trunk/product/src/main/java/org/apache/oodt/product/handlers/ofsn/OFSNListHandler.java
> Security vulnerability in web-grid allows the listing and downloading of any
> file on system
> -------------------------------------------------------------------------------------------
>
> Key: OODT-657
> URL: https://issues.apache.org/jira/browse/OODT-657
> Project: OODT
> Issue Type: Bug
> Components: grid, product server
> Affects Versions: 0.6
> Reporter: Rishi Verma
> Priority: Critical
> Fix For: 0.7
>
> Attachments: OODT-657.rverma.10-23-2013.patch.txt
>
>
> The web-grid framework currently has a security vulnerability that allows an
> attacker to list and download any file on the system.
> As it turns out, the "OFSN" parameter within the URL requests passed to
> registered product handlers is not validated (for accessing UNIX-style parent
> directory codes) by either web-grid or the product handlers themselves. Thus,
> arbitrary file paths (containing the UNIX-style parent directory codes) can
> be sent in and, in effect, allow the downloading of any file on the system.
> e.g.
> http://localhost:8080/web-grid-0.7-SNAPSHOT/prod?q=OFSN=/../../../../../etc/passwd+AND+RT%3DRAW
> I'm elevating this issue to critical level.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
