fix security problem of some RESTful apps - ryu - Component-based software defined networking framework

diff options

author	Yusuke Iwase <iwase.yusuke0@gmail.com>	2014-11-10 09:04:36 +0900
committer	FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>	2014-11-10 13:20:03 +0900
commit	32a17fbec6e1e61c4dc50fb24048069afcaa621a (patch)
tree	b5e1e803c0a1a80d57b8e26b8fa7af6055fb502b /doc
parent	f4305289295477e4d1d35f71af45d3b97fe9115d (diff)

fix security problem of some RESTful apps

It is not safe to use eval function because input data(request body) is not checked For example, someone can send this data to remove all files in the directory "import('os').system('rm -rf .')" I suggest to use json.loads to parse the request body if the data is json format or disable builtin functions like: eval(req.body, {"__builtins__":None}) In this patch, ast.literal_eval() is used to evaluate REST body, because ofctl_rest needs to be compatible with hexadecimal value or ascii byte array (e.g. "\x00\x00\x00\x01" in Experimenter) in order to keep usability. Signed-off-by: Takeshi <a86487817@gmail.com> Signed-off-by: IWASE Yusuke <iwase.yusuke0@gmail.com> Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>

Diffstat (limited to 'doc')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: