[plugin-host] Path traversal + XSS fix #5746
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
paul-marechal
force-pushed
the
mp/plugin-host-tmp
branch
from
f22963f to
aa90126
Compare
|
linked to #4168 ? |
For the XSS injection, simply make requests -using your browser maybe- like For the path traversal, you need to have at least one plugin, then in the "path" part of the URL, you can walk past the plugin root being served, and get anything you want. |
paul-marechal
force-pushed
the
mp/plugin-host-tmp
branch
from
aa90126 to
97301a6
Compare
paul-marechal
commented
Jul 19, 2019
paul-marechal
force-pushed
the
mp/plugin-host-tmp
branch
2 times, most recently
from
b8a9899 to
0a09d41
Compare
benoitf
reviewed
Aug 1, 2019
benoitf
approved these changes
Aug 2, 2019
|
@marechal-p Is there a reason why it is not merged? I've seen that @benoitf verified that relative paths are still working. |
|
I was away and forgot, will rebase and merge. |
The plugin host used to send unescaped responses via HTML, leading to a potential XSS vulnerability. Also, no constraint was applied to the file serving functionality, which means that you can get served any file on the filesystem if you add enough `../` parts in the requested path, walking past the plugin's root being served. This commit prevents clients to request something past the plugin's root, and also encodes the plugin id -requested by the client- in its response. Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>
paul-marechal
force-pushed
the
mp/plugin-host-tmp
branch
from
0a09d41 to
bfea162
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The plugin host used to send unescaped responses via HTML, leading to
a potential XSS vulnerability. Also, no constraint was applied to the file
serving functionality, which means that you can get served any file on
the filesystem if you add enough
../parts in the requested path,walking past the plugin's root being served.
This commit prevents clients to request something past the plugin's
root, and also encodes the plugin id -requested by the client- in its response.
Signed-off-by: Paul Maréchal paul.marechal@ericsson.com