Lenya 1.2.4 Publish step shouldn't trust input

[Bob Harner <bo...@gmail.com>]

Dev's,

During document publishing, Lenya 1.2.4 (and maybe 1.4?) accepts some
values from the request at face value rather than looking them up in
session data.  For example, a URL like this (which I'll wrap here for
readability) is what the browser sends when one submits the
confirmation form on the publish page in the CMS (to publish a
document):

http://localhost:8888/default/info-authoring/tutorial.html
?lenya.usecase=publish
&lenya.step=publish
&task-id=publish
&document-id=/tutorial
&document-language=en
&user-id=MickeyMouse
&user-name=Mickey%20Mouse
&user-email=levi.vanya%40wyona.org
&ip-address=168.0.0.1
&role-ids=admin%2Creview%2Cedit
&workflow-event=publish
&properties.publish.sources=tutorial/index_en.xml
&properties.files2index=
&sources=tutorial/index_en.xml
&properties.export.uris=/default/live/tutorial.html
&uris=/default/live/tutorail.html

It turns out that a user may submit *any* string in the "user-name"
spot, with the result being recorded in the tutorial/index_en.xml.rcml
file and subsequently displayed in the Workflow tab for that document.
 I suspect other values can also be forged.

Although only a logged-in user can successfully forge information in
this way, this appears to be a weakness in how the application is
structured.

Most of this information can be looked up on the server rather than
trusting the browser to provide valid values, right?  It seems to me
that this publish request shouldn't be sending the user-id, user-name,
user-email, ip-address, role-ids, properties.publish.sources, sources,
properties.export.uris and uris values at all, should it?

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org

Re: Lenya 1.2.4 Publish step shouldn't trust input

[Michael Wechner <mi...@wyona.com>]

Bob Harner wrote:

>Dev's,
>
>During document publishing, Lenya 1.2.4 (and maybe 1.4?) accepts some
>values from the request at face value rather than looking them up in
>session data.  For example, a URL like this (which I'll wrap here for
>readability) is what the browser sends when one submits the
>confirmation form on the publish page in the CMS (to publish a
>document):
>
>http://localhost:8888/default/info-authoring/tutorial.html
>?lenya.usecase=publish
>&lenya.step=publish
>&task-id=publish
>&document-id=/tutorial
>&document-language=en
>&user-id=MickeyMouse
>&user-name=Mickey%20Mouse
>&user-email=levi.vanya%40wyona.org
>&ip-address=168.0.0.1
>&role-ids=admin%2Creview%2Cedit
>&workflow-event=publish
>&properties.publish.sources=tutorial/index_en.xml
>&properties.files2index=
>&sources=tutorial/index_en.xml
>&properties.export.uris=/default/live/tutorial.html
>&uris=/default/live/tutorail.html
>
>It turns out that a user may submit *any* string in the "user-name"
>spot, with the result being recorded in the tutorial/index_en.xml.rcml
>file and subsequently displayed in the Workflow tab for that document.
> I suspect other values can also be forged.
>
>Although only a logged-in user can successfully forge information in
>this way, this appears to be a weakness in how the application is
>structured.
>  
>

agreed

>Most of this information can be looked up on the server rather than
>trusting the browser to provide valid values, right?  It seems to me
>that this publish request shouldn't be sending the user-id, user-name,
>user-email, ip-address, role-ids, properties.publish.sources, sources,
>properties.export.uris and uris values at all, should it?
>  
>

I am not sure about all the parameters, but you might want to give it
a try and see which ones can be read from the session. Patches are very 
welcome ;-)

Michi

>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
>For additional commands, e-mail: dev-help@lenya.apache.org
>
>
>  
>


-- 
Michael Wechner
Wyona      -   Open Source Content Management   -    Apache Lenya
http://www.wyona.com                      http://lenya.apache.org
michael.wechner@wyona.com                        michi@apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lenya.apache.org
For additional commands, e-mail: dev-help@lenya.apache.org