Re: [Templates] Template Toolkit 2 Relative Path Security Problem

[Josh Rosenbaum]

I was wondering if anyone had any comments on this?  Does it seem like 
an ok patch?

If we're worried about messing up someone else's stuff, we could always 
add an addition here rather than changing it.  So right after this:

----------------------------------------------------------
   elsif ($name =~ m[^\.+/]) {
        # anything starting "./" is relative to cwd, allowed if 
RELATIVE set
        ($data, $error) = $self->{ RELATIVE }
	    ? $self->_fetch($name)
            : $self->{ TOLERANT }
		? (undef, Template::Constants::STATUS_DECLINED)
            : ("$name: relative paths are not allowed (set RELATIVE 
option)",
               Template::Constants::STATUS_ERROR);
    }
----------------------------------------------------------

we could do something like:
----------------------------------------------------------
elsif($self->{ DISABLE_RELATIVE_NEW } && $name =~ m[(?:^|/)\.+/]){
   # same stuff in here as the regular elsif specified above.
}
----------------------------------------------------------
In this manner the normal behavior won't be changed unless someone 
specifies to use the new relative disabling.

Honestly, I'd prefer not to go that route, and just fix things with the 
regular expression mentioned in my first post.

Thoughts?
-- Josh
Josh Rosenbaum wrote:
This is related to the following:
Template Toolkit 2.14
 Provider.pm - 2.81
I believe the RELATIVE path option has a small problem.  While doing 
some testing, I noticed that I was able to do this:

[% INCLUDE foo/../../../../etc/passwd %]
(with RELATIVE/ABSOLUTE both set to 0, and foo is in the INCLUDE path of 
'/a/path/here/'. (in other words: '/a/path/here/foo/' exists.)

I believe this is related to line 136 of Template/Provider.pm:
" elsif ($name =~ m[^\.+/]) {"
It looks like a relative path is only considered to be one that starts 
with a '.+/'.  Perhaps a little more checking would be in order? For 
example maybe:
$name =~ m[(?:^|/)\.+/]
(ie. if the dot(s) is proceeded by the beginning of the string or a slash.)

There may be other areas of Template Toolkit that use the m[^\.+/] 
regular expression as well that may need to be fixed up.

Here are the other areas in the default package that I found:
 Template/Provider.pm:load():line 192:"elsif ($name =~ m[^\.+/]) {"
-- Josh
_______________________________________________
templates mailing list
templates@template-toolkit.org
http://lists.template-toolkit.org/mailman/listinfo/templates
!DSPAM:41e42299185621558310542!

_______________________________________________
templates mailing list
templates@template-toolkit.org
http://lists.template-toolkit.org/mailman/listinfo/templates