Ah Okay,

that sounds good!
Thanks for the info.
Btw: I have updated the red5 server to the version 1.0.0 RC1 now.
Everything is okay from my point of view with that version.
But I will need to run it for a period of time to see any gotchas.

Sebastian

2011/9/4 Maxim Solodovnik <[email protected]>

> Hello Sebastian,
>
> openOrCreateFolder(String dir) method should be renamed to
> logNonExistentFolder or something (I will rename it).
> It just extracts same code blocks and reduces copy/paste.
>
> I removed your fix because it leaves too many holes open. Attacker can use
> ./../../../../../../etc/password or ././../../../../../../etc/password or
> another hack. I see no way to catch all possibilities using input
> string analysis.
> Same time ../openmeetings/upload/image.jpg is a valid path starting with
> "..".
>
> The actual fix is:
> //Requested file is outside OM webapp folder
>  if (!f2.getCanonicalPath().startsWith(current_dir)) {
> throw new Exception("Invalid file requested");
>  }
> The final path (used to create f2) is checked to be inside "current_dir".
> This will filter out all files outside webapps/openmeetings folder.
>
> On Sun, Sep 4, 2011 at 17:00, [email protected] <[email protected]
> > wrote:
>
>> Hi Maxim,
>>
>> you've commited a fix in r=4167.
>> You removed my fix actually and added another check. I don't understand
>> the logic behidn it, could you explain it?
>>
>> How do you prevent that anybody is using ../ so that he might access files
>> that he should NOT?
>> Your fix would actually create that folder inside it? But we don't wan't
>> that any folder is created in our webapp dir by just randomizing the params
>> parentPath or fileName?
>>
>> Sebastian
>>
>> --
>> Sebastian Wagner
>> http://www.webbase-design.de
>> http://openmeetings.googlecode.com
>> http://www.wagner-sebastian.com
>>  [email protected]
>>
>
>
>
> --
> WBR
> Maxim aka solomax
>



-- 
Sebastian Wagner
http://www.webbase-design.de
http://openmeetings.googlecode.com
http://www.wagner-sebastian.com
[email protected]

-- 
You received this message because you are subscribed to the Google Groups 
"OpenMeetings developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/openmeetings-dev?hl=en.

Reply via email to