Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sanitize ScoringDownload getFile parameter. Fixes bug #3793 #748

Merged
merged 2 commits into from
Jun 21, 2017

Conversation

mgage
Copy link
Member

@mgage mgage commented Nov 4, 2016

This fixes at least part of bug #3793. Now the file name cannot contain / which prevents the exploit described in #3793

@mgage
Copy link
Member Author

mgage commented Nov 4, 2016

To test: Enter the following url as per bug #3793:

https://webwork.swarthmore.edu/webwork2/coursename/instructor/scoringDownload?getFile=../../../../../etc/passwd

You should get an error complaining about the path components.

@mgage mgage requested review from aubreyja, pstaabp, dlglin and jwj61 June 15, 2017 14:45
@pstaabp
Copy link
Member

pstaabp commented Jun 15, 2017

Looks like anything with a / generates an error. I also tried a ~ such as ?getFile=~pstaab and we get a 404 error. Should we say the same error for that as well?

@mgage
Copy link
Member Author

mgage commented Jun 21, 2017

OK. I added a check for ~ anywhere in the "filename". Anything else?

@pstaabp pstaabp merged commit 94b4a42 into openwebwork:master Jun 21, 2017
@mgage mgage deleted the scoringDownloadBug branch June 25, 2017 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants