[http] introduce TRootSniffer::fAllowPostObject flag#22192
[http] introduce TRootSniffer::fAllowPostObject flag#22192linev wants to merge 1 commit intoroot-project:masterfrom
TRootSniffer::fAllowPostObject flag#22192Conversation
|
|
||
| Bool_t IsAllowPostObject() const; | ||
|
|
||
| void SetAllowPostObject(Bool_t allow_post_obj = kFALSE); |
There was a problem hiding this comment.
I would remove the default value. I think it is confusing that calling SetAllowPostObject() turns off the functionality.
| Bool_t IsReadOnly() const { return fReadOnly; } | ||
|
|
||
| /** Allow to deserialize object in POST requests, default off */ | ||
| void SetAllowPostObject(Bool_t allow_post_obj = kFALSE) { fAllowPostObject = allow_post_obj; } |
There was a problem hiding this comment.
Same here regarding the default value.
| Bool_t IsAllowPostObject() const; | ||
|
|
||
| void SetAllowPostObject(Bool_t allow_post_obj = kFALSE); |
There was a problem hiding this comment.
Since this functionality is actually only relevant for the sniffer, wouldn't it be enough to add those two methods in TRootSniffer.h?
There was a problem hiding this comment.
Normally user interact with THttpServer instance. Therefore I provide such configuration methods in both classes
| } else if ((val != nullptr) && (fCurrentArg != nullptr) && (fCurrentArg->GetPostData() != nullptr)) { | ||
| // process several arguments which are specific for post requests | ||
| if (strcmp(val, "_post_object_xml_") == 0) { | ||
| if (fAllowPostObject && strcmp(val, "_post_object_xml_") == 0) { |
There was a problem hiding this comment.
What happens if you try to post but fAllowPostObject == false? It would be useful to have a test for this.
There was a problem hiding this comment.
Here I check that no I/O performed directly with POST data.
Data will be ignored.
It allows to deserialize post data as ROOT object when processing exe.json request. While this can create leads to arbitrary code loading and injection, disable this feature by default. Can be enabled back with: ``` serv->SetAllowPostObject(kTRUE); ```
Test Results 22 files 22 suites 3d 11h 26m 32s ⏱️ For more details on these failures, see this check. Results for commit 3572f6a. |
2 participants
It allows to deserialize post data as ROOT object when processing
exe.jsonrequest.While this is sensitive functionality which can leads to arbitrary code loading and injection,
disable this feature by default. Can be enabled back with: