On Wed, 26 Nov 2014 11:38:28 +0900
Yusuke Iwase <iwase.yusu...@gmail.com> wrote:
> Hi Fujita-san,
>
> I posted the following patch while ago,
> but I'm very sorry that I confused you because I made a mistake.
>
> When you have a time, could you review my patch again please?
Sorry, I overlooked. Applied, thanks a lot!
> Regards,
> Iwase
>
> On 2014年11月10日 13:44, Yusuke Iwase wrote:
>> I'm very sorry I didn't include rest_firewall.py and rest_qos.py in my patch.
>> I suggested for ofctl_rest.py only...
>>
>> Here is the patch for rest_firewall.py and rest_qos.py.
>>
>> ---------------------------------------------------------------
>> Subject: [PATCH] fix security problem of some RESTful apps
>>
>> It is not safe to use eval function because input data(request body) is not
>> checked
>> For example, someone can send this data to remove all files in the directory
>> "import('os').system('rm -rf .')"
>>
>> I suggest to use json.loads to parse the request body if the data is json
>> format
>> or disable builtin functions like:
>> eval(req.body, {"__builtins__":None})
>>
>> Signed-off-by: Takeshi <a86487...@gmail.com>
>> Signed-off-by: IWASE Yusuke <iwase.yusu...@gmail.com>
>> ---
>> ryu/app/rest_firewall.py | 4 ++--
>> ryu/app/rest_qos.py | 2 +-
>> 2 files changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/ryu/app/rest_firewall.py b/ryu/app/rest_firewall.py
>> index 01eb6e2..4e52b1f 100644
>> --- a/ryu/app/rest_firewall.py
>> +++ b/ryu/app/rest_firewall.py
>> @@ -492,7 +492,7 @@ class FirewallController(ControllerBase):
>>
>> def _set_rule(self, req, switchid, vlan_id=VLANID_NONE):
>> try:
>> - rule = eval(req.body)
>> + rule = json.loads(req.body)
>> except SyntaxError:
>> FirewallController._LOGGER.debug('invalid syntax %s', req.body)
>> return Response(status=400)
>> @@ -516,7 +516,7 @@ class FirewallController(ControllerBase):
>>
>> def _delete_rule(self, req, switchid, vlan_id=VLANID_NONE):
>> try:
>> - ruleid = eval(req.body)
>> + ruleid = json.loads(req.body)
>> except SyntaxError:
>> FirewallController._LOGGER.debug('invalid syntax %s', req.body)
>> return Response(status=400)
>> diff --git a/ryu/app/rest_qos.py b/ryu/app/rest_qos.py
>> index 057a3fd..537639f 100644
>> --- a/ryu/app/rest_qos.py
>> +++ b/ryu/app/rest_qos.py
>> @@ -499,7 +499,7 @@ class QoSController(ControllerBase):
>>
>> def _access_switch(self, req, switchid, vlan_id, func, waiters):
>> try:
>> - rest = eval(req.body) if req.body else {}
>> + rest = json.loads(req.body) if req.body else {}
>> except SyntaxError:
>> QoSController._LOGGER.debug('invalid syntax %s', req.body)
>> return Response(status=400)
>>
>> --
>> 1.9.1
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> Ryu-devel mailing list
> Ryu-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ryu-devel
>
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Ryu-devel mailing list
Ryu-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ryu-devel
