[Catalyst-dev] Security issue with Catalyst::Action::REST
Ton Voon
ton.voon at opsera.com
Wed Sep 1 20:51:01 GMT 2010
On 1 Sep 2010, at 19:46, Peter Karman wrote:
> Ton Voon wrote on 09/01/2010 05:24 AM:
>
>> Instead, I've patched
>> Catalyst::Action::Deserialize::Data::Serializer so
>> that if the serializer is Data::Dumper, pass it through a Safe
>> compartment instead. This limits the input to JSON-like input in perl
>> style which I guess is the most you would use REST input as.
>
> What if the serializer is Data::Dump, et al.? I.e., is the special
> check
> for Data::Dumper echoing some other, similar test in the module or in
> Catalyst core?
>
I'm not sure what you mean.
Data::Serializer is a front end to other serializers: http://search.cpan.org/~neely/Data-Serializer-0.49/lib/Data/Serializer.pm
Data::Dump is not one of the serializers available, though I guess
that doesn't preclude it from being included in future.
Data::Denter looks like some YAML type format, Data::Taxi is based on
an XML like structure, FreezeThaw is some variable only structure,
PHP::Serialization is PHP strings, Storable doesn't include code,
XML::Dumper/XML::Simple are XML based and YAML is YAML
So I think Data::Dumper is the only serialization that could execute
other code based on blindly eval'ing input.
Ton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst-dev/attachments/20100901/20791d0c/attachment.htm
More information about the Catalyst-dev
mailing list