commit 572e68a859f3241ca257f940c415d22a81bf45d0 Author: Arturo Filastò art@fuffa.org Date: Tue Apr 22 21:44:23 2014 +0200
Fix vulnerability that allowed arbitrary files specified in decks to be executed. --- ooni/deck.py | 15 ++++++++++----- ooni/oonicli.py | 2 +- 2 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/ooni/deck.py b/ooni/deck.py index cfd5d73..8a26d0c 100644 --- a/ooni/deck.py +++ b/ooni/deck.py @@ -6,6 +6,7 @@ from ooni.settings import config from ooni.utils import log from ooni import errors as e
+from twisted.python.filepath import FilePath from twisted.internet import reactor, defer
import os @@ -65,19 +66,23 @@ class InputFile(object): file_hash = sha256(f.read()) assert file_hash.hexdigest() == digest
-def nettest_to_path(path): +def nettest_to_path(path, allow_arbitrary_paths=False): """ Takes as input either a path or a nettest name.
+ Args: + + allow_arbitrary_paths: + allow also paths that are not relative to the nettest_directory. + Returns:
full path to the nettest file. """ - path_via_name = os.path.join(config.nettest_directory, path + '.py') - if os.path.exists(path): + if allow_arbitrary_paths and os.path.exists(path): return path - elif os.path.exists(path_via_name): - return path_via_name + elif FilePath(config.nettest_directory).preauthChild(path + '.py').exists(): + return os.path.join(config.nettest_directory, path + '.py') else: raise e.NetTestNotFound(path)
diff --git a/ooni/oonicli.py b/ooni/oonicli.py index 5c3c0ce..9d50e44 100644 --- a/ooni/oonicli.py +++ b/ooni/oonicli.py @@ -152,7 +152,7 @@ def runWithDirector(logging=True, start_tor=True): deck.loadDeck(global_options['testdeck']) else: log.debug("No test deck detected") - test_file = nettest_to_path(global_options['test_file']) + test_file = nettest_to_path(global_options['test_file'], True) net_test_loader = NetTestLoader(global_options['subargs'], test_file=test_file) deck.insert(net_test_loader)