Re: [Ryu-devel] [PATCH] fix security problem of some RESTful apps

Tue, 25 Nov 2014 18:40:03 -0800 

Hi Fujita-san,

I posted the following patch while ago,
but I'm very sorry that I confused you because I made a mistake.

When you have a time, could you review my patch again please?

Regards,
Iwase

On 2014年11月10日 13:44, Yusuke Iwase wrote:
> I'm very sorry I didn't include rest_firewall.py and rest_qos.py in my patch.
> I suggested for ofctl_rest.py only...
> 
> Here is the patch for rest_firewall.py and rest_qos.py.
> 
> ---------------------------------------------------------------
> Subject: [PATCH] fix security problem of some RESTful apps
> 
> It is not safe to use eval function because input data(request body) is not 
> checked
> For example, someone can send this data to remove all files in the directory
> "import('os').system('rm -rf .')"
> 
> I suggest to use json.loads to parse the request body if the data is json 
> format
> or disable builtin functions like:
> eval(req.body, {"__builtins__":None})
> 
> Signed-off-by: Takeshi <a86487...@gmail.com>
> Signed-off-by: IWASE Yusuke <iwase.yusu...@gmail.com>
> ---
>  ryu/app/rest_firewall.py | 4 ++--
>  ryu/app/rest_qos.py      | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/ryu/app/rest_firewall.py b/ryu/app/rest_firewall.py
> index 01eb6e2..4e52b1f 100644
> --- a/ryu/app/rest_firewall.py
> +++ b/ryu/app/rest_firewall.py
> @@ -492,7 +492,7 @@ class FirewallController(ControllerBase):
>  
>      def _set_rule(self, req, switchid, vlan_id=VLANID_NONE):
>          try:
> -            rule = eval(req.body)
> +            rule = json.loads(req.body)
>          except SyntaxError:
>              FirewallController._LOGGER.debug('invalid syntax %s', req.body)
>              return Response(status=400)
> @@ -516,7 +516,7 @@ class FirewallController(ControllerBase):
>  
>      def _delete_rule(self, req, switchid, vlan_id=VLANID_NONE):
>          try:
> -            ruleid = eval(req.body)
> +            ruleid = json.loads(req.body)
>          except SyntaxError:
>              FirewallController._LOGGER.debug('invalid syntax %s', req.body)
>              return Response(status=400)
> diff --git a/ryu/app/rest_qos.py b/ryu/app/rest_qos.py
> index 057a3fd..537639f 100644
> --- a/ryu/app/rest_qos.py
> +++ b/ryu/app/rest_qos.py
> @@ -499,7 +499,7 @@ class QoSController(ControllerBase):
>  
>      def _access_switch(self, req, switchid, vlan_id, func, waiters):
>          try:
> -            rest = eval(req.body) if req.body else {}
> +            rest = json.loads(req.body) if req.body else {}
>          except SyntaxError:
>              QoSController._LOGGER.debug('invalid syntax %s', req.body)
>              return Response(status=400)
> 
> -- 
> 1.9.1


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Ryu-devel mailing list
Ryu-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ryu-devel

Reply via email to