#28 security problem with the spellchecker - tiny_mce

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

#28 new

security problem with the spellchecker

Reported by Kevin Watt | August 8th, 2010 @ 11:24 AM

I was checking out your repository to see if you'd implemented it more elegantly than I, as I've been having some problems with it still. Still thought I'd share a basic security danger:

  logger.debug("Spellchecking via:  echo \"#{spell_check_text}\" | #{ASPELL_PATH} -a -l #{lang}")
  spell_check_response = `echo "#{spell_check_text}" | #{ASPELL_PATH} -a -l #{lang}`

if the the spell check text contains bad chars, it could run any code on the web server. Use a tempfile instead:

if command != 'getSuggestions' #or !(Array === session['spellcheck'])

  tf = Tempfile.new("aspell_buf") # adds pid
  tf.write(spell_check_text)
  tf.seek 0
  spell_check_response = `cat #{tf.path} | aspell -a -l #{lang}`
  tf.close!

lang should be sanitized as well to make sure it is exactly one of whatever the options are...

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.