|
Back
Midas
Rome
Roody
Rootana
|
Midas DAQ System |
Not logged in |
|
|
13 Jun 2023, Thomas Senger, Forum, Include subroutine through relative path in sequencer
|
13 Jun 2023, Stefan Ritt, Forum, Include subroutine through relative path in sequencer
|
13 Jun 2023, Marco Francesconi, Forum, Include subroutine through relative path in sequencer
|
13 Jun 2023, Stefan Ritt, Forum, Include subroutine through relative path in sequencer
|
|
Message ID: 2540
Entry time: 13 Jun 2023
In reply to: 2533
|
Author: |
Stefan Ritt |
Topic: |
Forum |
Subject: |
Include subroutine through relative path in sequencer |
|
|
> when I did this job for MEG II we decided not to include relative paths and the ".." folder to avoid an exploit called "XML Entity Injection".
> In short is to avoid leaking files outside the sequencer folders like /etc/password or private SSH keys.
> I do not remember in this moment why we pushed for absolute paths instead but let's keep this in mind.
I thought about that. But before we had absolute paths in the sequencer INCLUDE statement. So having "../../../etc/passwd" is as bad as the
absolute path "/etc/passwd". So nothing really changed. What we really should prevent is to LOAD files into the sequencer from outside the
sequence subdirectory. And this is prevented by the file loader. Actually we will soon replace the file loaded with a modern JS dialog, and
the code restricts all operations to within the experiment directory and below.
Stefan |