Opened 3 years ago

Closed 18 months ago

#5850 closed defect (fixed)

Security issue: GUI file access, protected config values, and mods

Reported by: wraitii Owned by: Silier
Priority: Must Have Milestone: Alpha 27
Component: Core engine Keywords:
Cc: Patch: Phab:D4617

Description

As discussed on IRC.

We have protected config entries that can't be used by JS, such as userreport.id. However, the gui can just `Engine.ReadFile('config/user.cfg') and get that data anyways.

Further, WriteJSONFile can overwrite any file.

These all seem like problems, particularly since we do prevent some access in the simulation ReadJSONFile for example.

Change History (6)

comment:1 by Freagarach, 3 years ago

[16:55:07] <elexis> (https://trac.wildfiregames.com/ticket/5850 see also https://wildfiregames.com/forum/topic/24722-improving-mod-security/ or some commit / revision proposals where the same issue appeared with modifying a config value without protection)

comment:2 by wraitii, 3 years ago

Milestone: Alpha 24Alpha 25

comment:3 by Stan, 3 years ago

Milestone: Alpha 25Alpha 26

comment:4 by Freagarach, 2 years ago

Milestone: Alpha 26Alpha 27

;(

comment:5 by phosit, 22 months ago

Patch: Phab:D4617

comment:6 by Silier, 18 months ago

Owner: set to Silier
Resolution: fixed
Status: newclosed

In 27202:

Restrict access for Read/WriteFile functions

For security reasons planing to restrict access for ReadFile, ReadFileLines, WriteJSONFile, ReadJSONFile, ListDirectoryFiles, FileExists to the following folders/files:

"gui, simulation, maps, campaigns, saves/campaigns, config/matchsettings.json, config/matchsettings.mp.json"
adding "moddata" if some mods need to access and ship custom files that don't fit into other locations mentioned above

Differential revision: D4617
Reviewed by: @phosit
Comments by: @Stan @vladislavbelov
Fixes: #5850

Note: See TracTickets for help on using tickets.