[Catalyst-dev] Security issue with Catalyst::Action::REST
Ton Voon
ton.voon at opsera.com
Wed Sep 1 10:24:10 GMT 2010
Hi!
I raised this on IRC a few days back. Basically, using
Data::Serializer through Catalyst::Action::Rest takes the input data
and evals it. However, there is no checking on the input data, which
means arbitrary code could be executed. I tested with putting a
"die()" as input and this gets run.
mst suggested using Data::Pond instead, but this didn't support undef
and also was erroring with some of my data structures. mst also
suggested not patching Data::Serializer as that would break other
applications.
Instead, I've patched Catalyst::Action::Deserialize::Data::Serializer
so that if the serializer is Data::Dumper, pass it through a Safe
compartment instead. This limits the input to JSON-like input in perl
style which I guess is the most you would use REST input as.
I'm guessing that all Catalyst::Action::REST instances have this issue
as the default map allows Data::Serializer to get invoked. The begin
action could get called before authentication routines, which means
that any cat app using this module is exposed.
Can you please confirm if this patch is a suitable one. Are there any
other holes left open?
Ton
-------------- next part --------------
A non-text attachment was scrubbed...
Name: catalyst_action_rest_safe_eval_data_dumper.patch
Type: application/octet-stream
Size: 2596 bytes
Desc: not available
Url : http://lists.scsys.co.uk/pipermail/catalyst-dev/attachments/20100901/83ec4432/catalyst_action_rest_safe_eval_data_dumper.obj
-------------- next part --------------
More information about the Catalyst-dev
mailing list