cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jorg Heymans>
Subject Re: variable substitution in @type attributes
Date Wed, 04 Feb 2004 16:22:32 GMT
> That's not unlikely and doesn't require uploading classes. Consider the 
> following:
> <map:match pattern="*-*.html">
>  <map:generate src="repository/{1}.xml" type="file"/>
>  <map:transform type="{2}"/>
>  <map:serialize type="html"/>
> </map:match>
> Now suppose we're in a CMS and that the user can upload the initial xml 
> file. What if {2}, which is expected to be "foo" or "bar" is set to 
> "jxtemplate"? The uploaded file iss interpreted and can then execute 
> arbitrary code on the server!
> Does this sound so unlikely?
Not at all, thanks for rubbing my nose in it :)

Your example would be unsafe anyway if the transformer is configured to 
jxtemplate and the upload-directory to repository, but i guess then the 
user is to blame and not the framework.

Tainting uploaded files or parameters like perl does could partially 
prevent this but it would never be foolproof.

I'll rest my case.

> Sylvain

View raw message