diff options
author | Yusuke Iwase <iwase.yusuke0@gmail.com> | 2014-11-10 13:44:33 +0900 |
---|---|---|
committer | FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp> | 2014-11-26 12:46:24 +0900 |
commit | 31353a95dd4fb43a13a67b549cad214c214c2302 (patch) | |
tree | b127752ab72d2e1cb01d3cacbd771003063758bd /doc/source | |
parent | 6a133b0cacbac79d5b99e363a076b26bf316dd62 (diff) |
fix security problem of some RESTful apps
I'm very sorry I didn't include rest_firewall.py and rest_qos.py in my patch.
I suggested for ofctl_rest.py only...
Here is the patch for rest_firewall.py and rest_qos.py.
---------------------------------------------------------------
Subject: [PATCH] fix security problem of some RESTful apps
It is not safe to use eval function because input data(request body) is not checked
For example, someone can send this data to remove all files in the directory
"import('os').system('rm -rf .')"
I suggest to use json.loads to parse the request body if the data is json format
or disable builtin functions like:
eval(req.body, {"__builtins__":None})
Signed-off-by: Takeshi <a86487817@gmail.com>
Signed-off-by: IWASE Yusuke <iwase.yusuke0@gmail.com>
Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Diffstat (limited to 'doc/source')
0 files changed, 0 insertions, 0 deletions