Skip to content
Snippets Groups Projects
Select Git revision
  • fix/89
  • 2.11.5-picodata default protected
  • sd/exec
  • funbringer/2.11.5-fix-select-param-having
  • sd/small_tuple
  • sd/tuple_buf
  • sd/execute_result
  • gmoshkin/more-backports
  • gmoshkin/more-backports-WIP
  • sd/64-bit
  • sd/wf_fixups protected
  • sd/c813750b7
  • funbringer/2.11.5-extend-op-result-row
  • gmoshkin/fix-window-in-subquery protected
  • sd/fix_r10
  • sd/window
  • sd/fix_sq
  • sd/fix_window_sq_panic
  • picodata-25.1
  • ekhamitov/sd/window-v2
  • 2.11.5 protected
  • 2.11.2.159 protected
  • 2.11.4 protected
  • 2.11.2.155 protected
  • 2.11.2.148 protected
  • 2.11.2.145 protected
  • 2.11.2.137 protected
  • 2.11.2.136 protected
  • 2.11.2.135 protected
  • 2.11.3 protected
  • 2.11.2.109 protected
  • 2.11.2.108 protected
  • 2.11.2.105 protected
  • 2.11.2.98 protected
  • 2.11.2.97 protected
  • 2.11.2.96 protected
  • 2.11.2.92 protected
  • 2.11.2 protected
  • 3.0.0-beta1 protected
  • 2.11.0.91 protected
40 results
Compare
user avatar
box: eliminate code injection in replication_synchro_quorum
Alexander Turenko authored 
It was possible to execute arbitrary Lua code outside of the setfenv()
environment. Example:

NO_WRAP
```lua
tarantool> box.cfg{replication_synchro_quorum = [=[N / 2 + 1]] _G.test = true --[[]=]}
tarantool> test
---
- true
...
```
NO_WRAP

How it works:

```lua
local expr = [[%s]]
```

Let's assume that `%s` is replaced by `]]<..code..>--[[`. The result is the
following (newlines are added for readability):

```lua
local expr = [[]]
<..code..>
--[[]]
```

This code is executed outside of the setfenv() protected function.

The fix is to pass the expression as an argument instead of using
`snprintf()`.

Fixes https://github.com/tarantool/security/issues/20
Fixes GHSA-74jr-2fq7-vp42

NO_DOC=bugfix
fbc4cbf3
History
user avatar fbc4cbf3
History
Name Last commit Last update