View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 256
IDProjectCategoryView StatusDate SubmittedLast Update
14650Feature requestsSecuritypublic2019-03-14 18:072023-02-08 16:11
ReporterDenisChenu Assigned To 
PrioritynoneSeverityfeature 
Status newResolutionopen 
Summary14650: Really throw error when user try to hack server
Description

Looking at https://github.com/LimeSurvey/LimeSurvey/commit/1ed10d3c423187712b8f6a8cb2bc9d5cc3b2deb8
I think it's a bad solution

  1. We must throw a Bad request is params is invalid
  2. We must throw a 401 if the file don't exist (here : white 200 empty page (i think))
Additional Information

Soluytion van be create a function like this

getAbsoluteFileName($fileName,$basedirectory)

Check final dir : throw a 400 if different
Check file exist : trow a 401 if not
Finally : return the absolute path of file

TagsNo tags attached.
Bug heat256
Story point estimate40
Users affected %0

Relationships

Relationship GraphDependency Graph
related to 13652 closeddominikvitt Feature requests Revert to inherited button for modified files 

Users monitoring this issue

Mazi

Activities

DenisChenu

DenisChenu

2019-03-14 18:07

developer   ~50991

Maybe in 4.0 if you're OK ?
DenisChenu

DenisChenu

2019-03-18 15:45

developer   ~51032

Last edited: 2019-03-18 15:48

@LouisGac and @c_schmitz : another reason to have a clear 400 or 401 or etc … : logging attack is something very important. And some tools get it to autoban IP

fail2ban for example : https://stackoverflow.com/questions/24250946/fail2ban-to-block-403-errors-apache

But better : https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/apache-noscript.conf (for 401 here)
ollehar

ollehar

2023-02-08 16:08

administrator   ~73742

We might want to document desired behaviour on the code guideline?
DenisChenu

DenisChenu

2023-02-08 16:09

developer   ~73743

@ollehar : i have 2 times where we need to have log about attack on server.

With redirect : no way to log

Why 0% user affected ?
DenisChenu

DenisChenu

2023-02-08 16:11

developer   ~73744

We might want to document desired behaviour on the code guideline?

Ah yes, OK.

We clearly need more log possibility.
ollehar

ollehar

2023-02-08 16:11

administrator   ~73745

2 times out of millions and millions of requests....? Not sure it's an application responsibility either. :d

Issue History

Date Modified Username Field Change
2019-03-14 18:07 DenisChenu New Issue
2019-03-14 18:07 DenisChenu Assigned To => LouisGac
2019-03-14 18:07 DenisChenu Status new => feedback
2019-03-14 18:07 DenisChenu Note Added: 50991
2019-03-14 18:07 DenisChenu Assigned To LouisGac =>
2019-03-18 15:45 DenisChenu Note Added: 51032
2019-03-18 15:45 DenisChenu Status feedback => new
2019-03-18 15:45 DenisChenu Relationship added related to 13652
2019-03-18 15:48 DenisChenu Note Edited: 51032
2019-04-05 09:21 Mazi Issue Monitored: Mazi
2023-02-08 16:07 ollehar Story point estimate => 5
2023-02-08 16:07 ollehar Users affected % => 0
2023-02-08 16:08 ollehar Story point estimate 5 => 40
2023-02-08 16:08 ollehar Note Added: 73742
2023-02-08 16:08 ollehar Bug heat 254 => 256
2023-02-08 16:09 DenisChenu Note Added: 73743
2023-02-08 16:11 DenisChenu Note Added: 73744
2023-02-08 16:11 ollehar Note Added: 73745