[Templates] Template Toolkit 2 Relative Path Security Problem
Josh Rosenbaum
josh@infogears.com
Tue, 11 Jan 2005 11:06:48 -0700
This is related to the following:
Template Toolkit 2.14
Provider.pm - 2.81
I believe the RELATIVE path option has a small problem. While doing some testing, I noticed that I was able to do this:
[% INCLUDE foo/../../../../etc/passwd %]
(with RELATIVE/ABSOLUTE both set to 0, and foo is in the INCLUDE path of '/a/path/here/'. (in other words: '/a/path/here/foo/' exists.)
I believe this is related to line 136 of Template/Provider.pm:
" elsif ($name =~ m[^\.+/]) {"
It looks like a relative path is only considered to be one that starts with a '.+/'. Perhaps a little more checking would be in order? For example maybe:
$name =~ m[(?:^|/)\.+/]
(ie. if the dot(s) is proceeded by the beginning of the string or a slash.)
There may be other areas of Template Toolkit that use the m[^\.+/] regular expression as well that may need to be fixed up.
Here are the other areas in the default package that I found:
Template/Provider.pm:load():line 192:"elsif ($name =~ m[^\.+/]) {"
-- Josh