I'll test it too Currently going to fix import http://code.google.com/p/openmeetings/issues/detail?id=1471
On Sun, Sep 4, 2011 at 17:51, [email protected] <[email protected]>wrote: > Ah Okay, > > that sounds good! > Thanks for the info. > Btw: I have updated the red5 server to the version 1.0.0 RC1 now. > Everything is okay from my point of view with that version. > But I will need to run it for a period of time to see any gotchas. > > Sebastian > > > 2011/9/4 Maxim Solodovnik <[email protected]> > >> Hello Sebastian, >> >> openOrCreateFolder(String dir) method should be renamed to >> logNonExistentFolder or something (I will rename it). >> It just extracts same code blocks and reduces copy/paste. >> >> I removed your fix because it leaves too many holes open. Attacker can use >> ./../../../../../../etc/password or ././../../../../../../etc/password or >> another hack. I see no way to catch all possibilities using input >> string analysis. >> Same time ../openmeetings/upload/image.jpg is a valid path starting with >> "..". >> >> The actual fix is: >> //Requested file is outside OM webapp folder >> if (!f2.getCanonicalPath().startsWith(current_dir)) { >> throw new Exception("Invalid file requested"); >> } >> The final path (used to create f2) is checked to be inside "current_dir". >> This will filter out all files outside webapps/openmeetings folder. >> >> On Sun, Sep 4, 2011 at 17:00, [email protected] < >> [email protected]> wrote: >> >>> Hi Maxim, >>> >>> you've commited a fix in r=4167. >>> You removed my fix actually and added another check. I don't understand >>> the logic behidn it, could you explain it? >>> >>> How do you prevent that anybody is using ../ so that he might access >>> files that he should NOT? >>> Your fix would actually create that folder inside it? But we don't wan't >>> that any folder is created in our webapp dir by just randomizing the params >>> parentPath or fileName? >>> >>> Sebastian >>> >>> -- >>> Sebastian Wagner >>> http://www.webbase-design.de >>> http://openmeetings.googlecode.com >>> http://www.wagner-sebastian.com >>> [email protected] >>> >> >> >> >> -- >> WBR >> Maxim aka solomax >> > > > > -- > Sebastian Wagner > http://www.webbase-design.de > http://openmeetings.googlecode.com > http://www.wagner-sebastian.com > [email protected] > -- WBR Maxim aka solomax -- You received this message because you are subscribed to the Google Groups "OpenMeetings developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/openmeetings-dev?hl=en.
