Skip to content

[6.34] [http] sanitize URL options before use them#22357

Closed
linev wants to merge 6 commits into
root-project:v6-34-00-patchesfrom
linev:http_sanity_634
Closed

[6.34] [http] sanitize URL options before use them#22357
linev wants to merge 6 commits into
root-project:v6-34-00-patchesfrom
linev:http_sanity_634

Conversation

@linev

@linev linev commented May 20, 2026

Copy link
Copy Markdown
Member

Backport of #22186

linev added 6 commits May 20, 2026 16:07
@linev
[http] cleanup URL option before usage
123cf84 
Remove any special symbols
Add escape characters for quote and escape itself
Discard all URL options longer than 1K

Try to avoid manipulation of arguments for method execution
@linev
[http] cleanup draw option in image production
49f7218 
Avoid special characters as draw arguments
@linev
[http] strictly check arguments in ProduceExe
0e05cc2 
Always use DecodeUrlOptionValue method when processing URL arguments
or URL string. Internally method provides escape symbols for quotes and backslash.
If expecting numeric value - remove all symbols
keeping alphanumeric, '.', '+', '-' and ':'
@linev
[http] introduce fAllowPostObject flag
4e555c7 
It allows to deserialize post data as ROOT object when processing exe.json request.
While this can leads to arbitrary code loading and injection, disable this feature by default.
Can be enabled back with:
 ```
serv->SetAllowPostObject(kTRUE);
```
@linev
[http] analyze arguments of cmd.json
61851b1 
While here arbitrary string injected into ProcessLine,
ensure that only numeric argument is not quoted.
All other arguments kinds will be quoted and prevent execution of potentially dangerous code
@linev
[test] add ROOT sniffer testing
35a4f96 
Verify execution of several supported requests
which can be handled by http server. Testing:
   - root.json
   - root.xml
   - file.root
   - exe.json
   - exe.json with POST data
   - item.json
   - cmd.json
   - multi.json

Also verify basic functionality of
TRootSniffer::DecodeUrlOptionValue method
@linev linev self-assigned this May 20, 2026
@linev linev requested a review from bellenot as a code owner May 20, 2026 14:10
@github-actions

github-actions Bot commented May 20, 2026

Copy link
Copy Markdown

Test Results

     9 files       9 suites   1d 5h 12m 12s ⏱️
 2 603 tests  2 596 ✅ 0 💤  7 ❌
23 237 runs  23 191 ✅ 0 💤 46 ❌

For more details on these failures, see this check.

Results for commit 35a4f96.

@dpiparo dpiparo closed this May 20, 2026
@dpiparo

dpiparo commented May 20, 2026

Copy link
Copy Markdown
Member

6.34 is an inactive series since June 2025. This is because 6.34 was a STS release. All details here: https://root.cern/install/all_releases/

@linev linev deleted the http_sanity_634 branch May 21, 2026 05:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bellenot bellenot Awaiting requested review from bellenot bellenot is a code owner

Assignees

@linev linev

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@linev @dpiparo