Forum OpenACS Development: Security breach in util_memoize "command $arg"

Request notifications


We have replaced _all_ util_memoize commands with double quotes:

- return [util_memoize "package_object_view_helper -start_with $start_with $object_type"]

with a version with "list":

- return [util_memoize [list package_object_view_helper -start_with $start_with $object_type]]

in the entire code of ]project-open[. Why?

It's like SQL injection, somebody could fiddle with $start_with or $object_type and replace object_type for example with:

- "acs_object; ad_user_login 123; return """

and therefore gain system administrator rights.

This is like colon vs. dollar variables in SQLs. They are also not strictly necessary if all ad_page_contracts are well designed.

The issue came up in a very intensive security audit. These guys just found one of these cases in the "/admin" folder of one package, so there is no impact (the Admin can do everything anyway...). But it was still a nice wake-up call.

The OpenACS Core contains some 20 or so of unsafe util_memoize calls, so it's not much work to find and fix.


Posted by Gustaf Neumann on
Hi Frank,

many thanks for this catch! The problem might happen with all non-sanitized variables passed to a quoted util_memoize (which should not happen). This problem might as well become a semantic issue, since the word boundaries are lost though the double quotes, when variables are substituted.

The version in the oacs-5-8 branch is now fixed.