Forum OpenACS Development: Security breach in util_memoize "command $arg"
We have replaced _all_ util_memoize commands with double quotes:
- return [util_memoize "package_object_view_helper -start_with $start_with $object_type"]
with a version with "list":
- return [util_memoize [list package_object_view_helper -start_with $start_with $object_type]]
in the entire code of ]project-open[. Why?
It's like SQL injection, somebody could fiddle with $start_with or $object_type and replace object_type for example with:
- "acs_object; ad_user_login 123; return """
and therefore gain system administrator rights.
This is like colon vs. dollar variables in SQLs. They are also not strictly necessary if all ad_page_contracts are well designed.
The issue came up in a very intensive security audit. These guys just found one of these cases in the "/admin" folder of one package, so there is no impact (the Admin can do everything anyway...). But it was still a nice wake-up call.
The OpenACS Core contains some 20 or so of unsafe util_memoize calls, so it's not much work to find and fix.
many thanks for this catch! The problem might happen with all non-sanitized variables passed to a quoted util_memoize (which should not happen). This problem might as well become a semantic issue, since the word boundaries are lost though the double quotes, when variables are substituted.
The version in the oacs-5-8 branch is now fixed.