Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve file name check for scoring download exploit bug. #774

Merged

Conversation

mgage
Copy link
Member

@mgage mgage commented Jun 21, 2017

A more robust check of the fileName using the FileManager checkName function. This insures
that the fileName for the scoring file conforms precisely to the same rules used by the FileManager for files.

This pull request is not quite ready yet. I have to implement a similar check on the scoring tools page so that you cannot enter an incorrect file name there. I'll do that shortly.

Sorry to put you through the extra work -- I caught this problem this morning around 8 and I thought I had closed the pull request, but I guess I didn't push "commit and close" on the github web page.

mgage added 2 commits June 21, 2017 12:29
…me from the FileManager.

This insures that the file name corresponds to the same rules used by the FileManager.
…heckName from FileManager.

This actually cures another exploit.  By entering an illegal path one might have been able to clobber files that were not in the scoring directory.
As it is one can replace files already in the scoring directory.  This is probably a feature not a bug.
@pstaabp
Copy link
Member

pstaabp commented Jun 21, 2017

No problem. I'll wait until you give the word to test, but is to be tested the same way as the previous PR?

@pstaabp pstaabp self-assigned this Jun 21, 2017
@pstaabp pstaabp self-requested a review June 21, 2017 17:49
@mgage
Copy link
Member Author

mgage commented Jun 21, 2017 via email

unless ( $file eq WeBWorK::ContentGenerator::Instructor::FileManager::checkName($file) ) { #
$self->addbadmessage("Your file name is not valid. ".
"A file name cannot begin with a dot, it cannot be empty, it cannot contain a " .
"directory path component and only the characters [^-_.a-zA-Z0-9 ] are allowed."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you want to remove the ^ from [^-_.a-zA-Z0-9 ] (that negates the character set to set for NOT those characters in the checkName() function).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. I fixed the typo in the message.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like you removed the ^ from a similar line in Scoring.pm, but this instance that Davide commented on in ScoringDownload.pm is still here. Also it is not clear to me if escape tildes are needed here as they are used in the similar message in Scoring.pm.

Copy link
Member

@pstaabp pstaabp Jun 24, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Alex-Jordan that's true. This is just a message to the user however. Perhaps it should say:

...only the characters a-z A-Z 0-9 - . and _  are allowed.

to be clearly for someone who doesn't speak regular expressions.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Space is also allowed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. I guess I missed that empty space in the RE.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated the error message so that it is the same in both places. I also mention space as a legal character explicitly instead of being cute and using the regular expression notation.

@mgage
Copy link
Member Author

mgage commented Jun 21, 2017

I think this is ready now.

To test:

1: Enter the following url as per bug #3793:

https://your.site.here/webwork2/coursename/instructor/scoringDownload?getFile=../../../../../etc/passwd

You should get an error complaining about the badly formed file name.
You can try various paths trying to reach any file outside the scoring directory.

  1. On the Scoring Tools page try to enter an illegal file name such as ../templates/local/set1/problem1.pg

then press the action button.

You should get an error message and that fileName is incorrect. (previously
such a file would have been created, probably overwriting what was already there.)
Try simpler illegal file paths as well.

There is also an error message if you forget to pick the sets to be graded. These two error messages should work independently of each other.

@mgage
Copy link
Member Author

mgage commented Jun 24, 2017

I improved the error messages when the file name was bad and made the error messages the same in both the Scoring.pm and ScoringDownload.pm files.

@Alex-Jordan
Copy link
Contributor

OK, and just to be clear, I can merge this even though I haven't tested it myself? Not a good habit in general, but just getting me to run through a merge?

@mgage
Copy link
Member Author

mgage commented Jun 24, 2017 via email

@Alex-Jordan Alex-Jordan merged commit 3b89432 into openwebwork:develop Jun 24, 2017
@mgage mgage deleted the develop_scoring_download_bug_fix2 branch June 25, 2017 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants