From 895a65fdb93c1ec0b99dbb2e6960d7d88db065cc Mon Sep 17 00:00:00 2001 From: Matthias Hannig Date: Tue, 28 Jun 2016 18:04:39 +0200 Subject: [PATCH 1/2] Fixed remote code execution through unpickling untrusted code. --- helpdesk/views/staff.py | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/helpdesk/views/staff.py b/helpdesk/views/staff.py index 0a652ebb..e3df2434 100644 --- a/helpdesk/views/staff.py +++ b/helpdesk/views/staff.py @@ -773,12 +773,14 @@ def ticket_list(request): if not (saved_query.shared or saved_query.user == request.user): return HttpResponseRedirect(reverse('helpdesk_list')) - try: - import pickle - except ImportError: - import cPickle as pickle + import json from helpdesk.lib import b64decode - query_params = pickle.loads(b64decode(str(saved_query.query))) + try: + query_params = json.loads(b64decode(str(saved_query.query))) + except ValueError: + # Query deserialization failed. (E.g. was a pickled query) + return HttpResponseRedirect(reverse('helpdesk_list')) + elif not ( 'queue' in request.GET or 'assigned_to' in request.GET or 'status' in request.GET @@ -879,12 +881,9 @@ def ticket_list(request): search_message = _('

Note: Your keyword search is case sensitive because of your database. This means the search will not be accurate. By switching to a different database system you will gain better searching! For more information, read the Django Documentation on string matching in SQLite.') - try: - import pickle - except ImportError: - import cPickle as pickle + import json from helpdesk.lib import b64encode - urlsafe_query = b64encode(pickle.dumps(query_params)) + urlsafe_query = b64encode(json.dumps(query_params)) user_saved_queries = SavedSearch.objects.filter(Q(user=request.user) | Q(shared__exact=True)) @@ -1053,12 +1052,13 @@ def run_report(request, report): if not (saved_query.shared or saved_query.user == request.user): return HttpResponseRedirect(reverse('helpdesk_report_index')) - try: - import pickle - except ImportError: - import cPickle as pickle + import json from helpdesk.lib import b64decode - query_params = pickle.loads(b64decode(str(saved_query.query))) + try: + query_params = json.loads(b64decode(str(saved_query.query))) + except: + return HttpResponseRedirect(reverse('helpdesk_report_index')) + report_queryset = apply_query(report_queryset, query_params) from collections import defaultdict From 5f0191957f65a9f2e9d4f95b26eef70143b80b5f Mon Sep 17 00:00:00 2001 From: Matthias Hannig Date: Tue, 28 Jun 2016 18:44:54 +0200 Subject: [PATCH 2/2] fixed python3 compat issue --- helpdesk/views/staff.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpdesk/views/staff.py b/helpdesk/views/staff.py index e3df2434..dc9252fd 100644 --- a/helpdesk/views/staff.py +++ b/helpdesk/views/staff.py @@ -883,7 +883,7 @@ def ticket_list(request): import json from helpdesk.lib import b64encode - urlsafe_query = b64encode(json.dumps(query_params)) + urlsafe_query = b64encode(json.dumps(query_params).encode('UTF-8')) user_saved_queries = SavedSearch.objects.filter(Q(user=request.user) | Q(shared__exact=True))