You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rivet-dev@tcl.apache.org by "David N. Welton" <da...@dedasys.com> on 2002/06/30 16:23:35 UTC
["David Brancato" ] Re: 0.12.0
Here's a description of the problem:
mod_dtcl's list of commands includes hgetvars which creates several tcl
arrays. One such array, ENVS, contains the sub-process environment provided
by the Apache web server as well as the headers sent by the client. Because
the environment variables and client http headers are combined into one
array, it is possible in rare circumstances for a specifically-formed http
request to spoof the existence of certain environment variables.
Exploiting:
A ttml script could be fooled if an http client request is formed so that a
header has the same name as a common environment variable that is not always
present in the environment (such as REMOTE_USER) and the ttml script uses
the mere existence of that environment variable to perform certain tasks.
Example:
GET /somescript.ttml HTTP/1.1
Host: somesite.com
REMOTE_USER: someuser
Example of script fragment (most likely included on pages site wide via
parse command, source command or Apache directives) that would be fooled:
hgetvars
if {[info exists ENVS(REMOTE_USER)]} {
# This is a valid user in a protected area
# Display confidential information for this user
...
}
The fixed version places the http headers into a separate array
(CLIENT_ENVS). The headers are still accessible in ENVS via common cgi
environment name, ie:
ENVS(HTTP_USER_AGENT) would contain the same value as
CLIENT_ENVS(User-Agent)
David W. was able to release the fixed version *very* quickly admist a
*very* busy travel schedule. So cheers to him.
Thanks,
David Brancato
---------------------------------------------------------------------
To unsubscribe, e-mail: mod_dtcl-unsubscribe@tcl.apache.org
For additional commands, e-mail: mod_dtcl-help@tcl.apache.org
--
David N. Welton
Consulting: http://www.dedasys.com/
Personal: http://www.dedasys.com/davidw/
Free Software: http://www.dedasys.com/freesoftware/
Apache Tcl: http://tcl.apache.org/
Re: ["David Brancato" ] Re: 0.12.0
Posted by Damon Courtney <da...@your.unreality.com>.
> Those are better than my names. I get the feeling that there should
> probably be some options... Hrm.
Well, load_env has 'env' as its default array name, but it can be
specified if the user wishes. IE: load_env ENVS or something. You can
just make load_headers the same way. I think it's plenty configurable
and extremely useful. 0-]
Damon
---------------------------------------------------------------------
To unsubscribe, e-mail: rivet-dev-unsubscribe@tcl.apache.org
For additional commands, e-mail: rivet-dev-help@tcl.apache.org
Re: ["David Brancato" ] Re: 0.12.0
Posted by "David N. Welton" <da...@dedasys.com>.
Damon Courtney <da...@your.unreality.com> writes:
> That will probably do. I can't think of a better idea right
> now. 0-] I'll let you know if I come up with something. Do we load
> them both into the same array by default or into separate arrays?
> You could have like:
> load_env -> env
> load_headers -> headers
>
> This would give a very clear distinction of what the arrays are
> and what they're there for. At least, that's my opinion for command
> and array names. 0-]
Those are better than my names. I get the feeling that there should
probably be some options... Hrm.
--
David N. Welton
Consulting: http://www.dedasys.com/
Personal: http://www.dedasys.com/davidw/
Free Software: http://www.dedasys.com/freesoftware/
Apache Tcl: http://tcl.apache.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: rivet-dev-unsubscribe@tcl.apache.org
For additional commands, e-mail: rivet-dev-help@tcl.apache.org
Re: ["David Brancato" ] Re: 0.12.0
Posted by Damon Courtney <da...@your.unreality.com>.
> > So, what's the best way to fix this up? I think we should maybe
> > have two commands load_env and load_client_env?
>
> I'm going to implement this in the next few days unless someone
> suggests a better idea...
That will probably do. I can't think of a better idea right now. 0-]
I'll let you know if I come up with something. Do we load them both into
the same array by default or into separate arrays? You could have like:
load_env -> env
load_headers -> headers
This would give a very clear distinction of what the arrays are and
what they're there for. At least, that's my opinion for command and array
names. 0-]
D
---------------------------------------------------------------------
To unsubscribe, e-mail: rivet-dev-unsubscribe@tcl.apache.org
For additional commands, e-mail: rivet-dev-help@tcl.apache.org
Re: ["David Brancato" ] Re: 0.12.0
Posted by "David N. Welton" <da...@dedasys.com>.
davidw@dedasys.com (David N. Welton) writes:
> So, what's the best way to fix this up? I think we should maybe
> have two commands load_env and load_client_env?
I'm going to implement this in the next few days unless someone
suggests a better idea...
--
David N. Welton
Consulting: http://www.dedasys.com/
Personal: http://www.dedasys.com/davidw/
Free Software: http://www.dedasys.com/freesoftware/
Apache Tcl: http://tcl.apache.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: rivet-dev-unsubscribe@tcl.apache.org
For additional commands, e-mail: rivet-dev-help@tcl.apache.org
Re: ["David Brancato" ] Re: 0.12.0
Posted by "David N. Welton" <da...@dedasys.com>.
So, what's the best way to fix this up? I think we should maybe have
two commands load_env and load_client_env?
--
David N. Welton
Consulting: http://www.dedasys.com/
Personal: http://www.dedasys.com/davidw/
Free Software: http://www.dedasys.com/freesoftware/
Apache Tcl: http://tcl.apache.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: rivet-dev-unsubscribe@tcl.apache.org
For additional commands, e-mail: rivet-dev-help@tcl.apache.org