Ah Okay, that sounds good! Thanks for the info. Btw: I have updated the red5 server to the version 1.0.0 RC1 now. Everything is okay from my point of view with that version. But I will need to run it for a period of time to see any gotchas.
Sebastian 2011/9/4 Maxim Solodovnik <[email protected]> > Hello Sebastian, > > openOrCreateFolder(String dir) method should be renamed to > logNonExistentFolder or something (I will rename it). > It just extracts same code blocks and reduces copy/paste. > > I removed your fix because it leaves too many holes open. Attacker can use > ./../../../../../../etc/password or ././../../../../../../etc/password or > another hack. I see no way to catch all possibilities using input > string analysis. > Same time ../openmeetings/upload/image.jpg is a valid path starting with > "..". > > The actual fix is: > //Requested file is outside OM webapp folder > if (!f2.getCanonicalPath().startsWith(current_dir)) { > throw new Exception("Invalid file requested"); > } > The final path (used to create f2) is checked to be inside "current_dir". > This will filter out all files outside webapps/openmeetings folder. > > On Sun, Sep 4, 2011 at 17:00, [email protected] <[email protected] > > wrote: > >> Hi Maxim, >> >> you've commited a fix in r=4167. >> You removed my fix actually and added another check. I don't understand >> the logic behidn it, could you explain it? >> >> How do you prevent that anybody is using ../ so that he might access files >> that he should NOT? >> Your fix would actually create that folder inside it? But we don't wan't >> that any folder is created in our webapp dir by just randomizing the params >> parentPath or fileName? >> >> Sebastian >> >> -- >> Sebastian Wagner >> http://www.webbase-design.de >> http://openmeetings.googlecode.com >> http://www.wagner-sebastian.com >> [email protected] >> > > > > -- > WBR > Maxim aka solomax > -- Sebastian Wagner http://www.webbase-design.de http://openmeetings.googlecode.com http://www.wagner-sebastian.com [email protected] -- You received this message because you are subscribed to the Google Groups "OpenMeetings developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/openmeetings-dev?hl=en.
