Upload-form is currently not sanitized and is a possible security-threat
Bug #667664 reported by
Tobias Baldauf
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Woof | Status tracked in Trunk | |||||
Trunk |
Fix Released
|
Critical
|
Woof |
Bug Description
When invoking "woof -U", a simple webserver is activated that gives users an upload-form where they can easily send the host of that webserver a file.
The upload-form is not sanitized in any way, meaning that it poses a severe security.threat to the host of a "woof -U"-webserver because everything that comes through that upload-webform is directly put onto the host's machine.
We should run some tests as to the extent of that threat (code-execution via formfield, etc,) and sanitize accordingly. Incoming files should possibly also be modified (execution-bit revoked and such) so that they cannot pose a threat to the host-system without action from the receiving party.
Related branches
visibility: | private → public |
Changed in woofgui: | |
importance: | Undecided → Critical |
status: | New → Confirmed |
assignee: | nobody → Woof (woof) |
tags: | added: form security upload webserver woof |
Changed in woofgui: | |
milestone: | none → wolowizard |
To post a comment you must log in.