[Commotion-admin] [luci-commotion] Splash: Upload field allows invalid input (#420)
Dan Staples
notifications at github.com
Thu Oct 2 13:50:30 EDT 2014
Need some feedback on this. It may not be as important of an issue as I originally thought. The only danger here of arbitrary file upload is for including some malicious javascript or browser exploit. But really there's no way to scan the uploaded file and tell whether any included javascript or markup is malicious or not. Plus, we may want to allow node administrators to be able to include javascript in the welcome page text.
Another thing to consider is that you have to have root permissions to be able to upload to this page anyway. But then, an attacker could also upload to this page if they steal a root user's session cookie, and then uploading malicious markup could then harm every user connecting to the access point (assuming welcome page is turned on).
So I'm ambivalent. Either we leave this as it is, trusting the safety of LuCI's authentication system, or we impose strict limitations on what kind of markup can be included in the uploaded file (e.g. no <script> tags).
Thoughts?
---
Reply to this email directly or view it on GitHub:
https://github.com/opentechinstitute/luci-commotion/issues/420#issuecomment-57670995
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-admin/attachments/20141002/a10b4be1/attachment.html>
More information about the Commotion-admin
mailing list