Error templates allow query-based override of variables

Description

We received the attached report from an unknown security researcher through Finnish CERT. We have not yet verified the data ourselves but felt obligated to share this with you as soon as possible. We are not aware whether you have received this via other channels.

Environment

None

Attachments

1

Activity

atuomi@csc.fi March 16, 2021 at 3:13 PM

We don't know the identity of the original reporter and neither did the party that relayed it to us. Thanks for a prompt fix.

Scott Cantor March 16, 2021 at 3:01 PM

If somebody should be credited in the advisory for this, please let me know, otherwise I'll just leave that out and can update it later.

Scott Cantor March 16, 2021 at 2:57 PM

Fixed via a new Errors setting, externalParameters, defaults to false. Suppresses injection of request into TemplateParameters field that allows the lookup. Can be turned on by people who think they really want this for now.

Scott Cantor March 16, 2021 at 2:32 PM

The actual pass-through of the request into the template layer was added in SP commit 109ccda928baa45021837cb59fd2aad960006941 and the note on it is that it was mainly for logout. I still can't think of why that would have been useful, let alone necessary, but possibly it allowed for people to trigger logout with additional parameters and then detect those in a template to do other things.

There are almost always going to be other ways to achieve that sort of thing, so I'm still inclined to just globally toggle it off.

Scott Cantor March 16, 2021 at 1:13 PM

The feature was added in 2007 in commit 6b323155d5aabd942df1fe6836cf0e507c2dfeb5. I do not have a clear indication of why. I have reviewed all the places the HTTP request is injected into the TemplateParameters object to allow this and not one of them has an obvious reason why it would be needed and it's pretty hard for me to really think of a scenario where you'd want it to.

I'm inclined to just add an internal sort of option to suppress this and toggle it on by default so that the patch would harden everything but provide a compatibility option in case somebody really needs more time to remediate something they're relying on, which would probably help motivate the feature and might lead to a better way to handle whatever it was that this was trying to achieve.

Fixed

Details

Assignee

Reporter

Components

Fix versions

Created March 16, 2021 at 8:43 AM
Updated March 17, 2021 at 12:10 PM
Resolved March 16, 2021 at 3:08 PM