Upload-form is currently not sanitized and is a possible security-threat
Bug #667664 reported by
Tobias Baldauf
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | ||
|---|---|---|---|---|---|---|
| Woof | Status tracked in Trunk | |||||
| Trunk |
Fix Released
|
Critical
|
Woof | |||
Bug Description
When invoking "woof -U", a simple webserver is activated that gives users an upload-form where they can easily send the host of that webserver a file.
The upload-form is not sanitized in any way, meaning that it poses a severe security.threat to the host of a "woof -U"-webserver because everything that comes through that upload-webform is directly put onto the host's machine.
We should run some tests as to the extent of that threat (code-execution via formfield, etc,) and sanitize accordingly. Incoming files should possibly also be modified (execution-bit revoked and such) so that they cannot pose a threat to the host-system without action from the receiving party.
Related branches
| visibility: | private → public |
| Changed in woofgui: | |
| importance: | Undecided → Critical |
| status: | New → Confirmed |
| assignee: | nobody → Woof (woof) |
| tags: | added: form security upload webserver woof |
| Changed in woofgui: | |
| milestone: | none → wolowizard |
To post a comment you must log in.
