lists of tainted values in query string kill processInputs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Fix Released
|
Medium
|
Martijn Pieters |
Bug Description
The issue: lists of tainted values in HTTP_QUERY_STRING won't survive. That is,
multiple parameters from the web with the same key value, thet contain '<'
symbols kill the parser so your script won't even get executed.
It generates an AttributeError on "append" with the following stack trace:
[//ZServer/
[//ZServer/
[//ZServer/
[//ZServer/
[//lib/
[//lib/
[//lib/
[//lib/
[//lib/
I digged around a bit in the source, and it seems the problem is in
processInputs. 'append' is called on a string, which should be a list, but is
initialized wrongly in another part of processInputs.
Following is a patch to fix the issue in lib/python/
--- HTTPRequest.py.old 2002-10-28 20:13:40.000000000 +0100
+++ HTTPRequest.py.new 2002-10-28 20:14:32.000000000 +0100
@@ -780,7 +780,7 @@
- taintedform[
+ taintedform[
if defaults:
Status: Pending => Accepted
Supporters added: mj
Confirmed; the test suite wasn't testing for implicit sequences with taints. I'll fix this and port it to the various branches that need fixed.