#28 new
Kevin Watt

security problem with the spellchecker

Reported by Kevin Watt | August 8th, 2010 @ 11:24 AM

I was checking out your repository to see if you'd implemented it more elegantly than I, as I've been having some problems with it still. Still thought I'd share a basic security danger:

  logger.debug("Spellchecking via:  echo \"#{spell_check_text}\" | #{ASPELL_PATH} -a -l #{lang}")
  spell_check_response = `echo "#{spell_check_text}" | #{ASPELL_PATH} -a -l #{lang}`

if the the spell check text contains bad chars, it could run any code on the web server. Use a tempfile instead:

if command != 'getSuggestions' #or !(Array === session['spellcheck'])

  tf = Tempfile.new("aspell_buf") # adds pid
  tf.write(spell_check_text)
  tf.seek 0
  spell_check_response = `cat #{tf.path} | aspell -a -l #{lang}`
  tf.close!

lang should be sanitized as well to make sure it is exactly one of whatever the options are...

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

A Ruby on Rails plugin that allows easy implementation of the TinyMCE editor into your applications.

People watching this ticket

Pages