[tahoe-lafs-trac-stream] [tahoe-lafs] #1860: expansion of %(uri)s in when_done parameter is ill-advised
tahoe-lafs
trac at tahoe-lafs.org
Thu Nov 15 03:31:31 UTC 2012
#1860: expansion of %(uri)s in when_done parameter is ill-advised
-------------------------------+---------------------------
Reporter: davidsarah | Owner:
Type: defect | Status: new
Priority: normal | Milestone: undecided
Component: code-frontend-web | Version: 1.9.2
Keywords: webapi | Launchpad Bug:
-------------------------------+---------------------------
At [source:git/src/allmydata/web/unlinked.py at 3d771132#L52] we see:
{{{
if "%(uri)s" in redir_to:
redir_to = redir_to % {"uri":
urllib.quote(upload_results.get_uri())
}
}}}
This is intended to expand {{{%(uri)s}}} in the {{{when_done}}} parameter
of an unlinked upload, to the URI of the new uploaded file.
Python isn't straightforwardly vulnerable to C {{{printf}}}-style format
attacks. However, the {{{%}}} operator is still not designed to take
untrusted input on the left, and it's a bad idea to use it that way. If
nothing else, it is completely undocumentable except by reference to the
[http://docs.python.org/2/library/stdtypes.html#string-formatting-
operations Python format string documentation]. Also, any {{{%}}}
characters, i.e. URL escapes, in the {{{when_done}}} URL will have to be
doubled (encoded as {{{%25%25}}} in the original URL) so that they are not
interpreted as format characters.
It isn't clear that {{{%(uri)s}}} should continue to be supported, but if
it is, then it shouldn't be implemented this way.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1860>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list