Page MenuHomePhabricator

tor-controlport-filter security review
Closed, ResolvedPublic


TODO: Check as far as some connection coming from the workstation talking to cpfpy can do something really bad such as getting a shell on the gateway.

Malicious yml files are not part of the threat model. They are trusted. Because someone with the capability to place malicious yml files already has better options to compromise the system.



Event Timeline

Small change. I know this is not in the purview of this task, but may be good to have.

load() is very in-secure function to have. It allows creating arbitrary Python objects.
Using safe_load(0 instead for loading yaml documents. The function safe_load() limits this to simple Python objects like integers,lists etc. It will prevent yaml document with embedded python/shell code in it.

Sure. Good to have. Thanks, merged!

Hi Patrick,

I analyzed the file - /usr/lib/tor-controlport-filter
There are two "entry points"

  1. YML files (which is considered safe here)
  2. The commands which are entered by the workstation like
  3. saveconfig
  5. could be anything


What I found is that - parsing of commands are tightly bound , i.e. if
any command is entered, it is matched against the pre-defined set. If
it does not match, it is filtered out.
So not much chance of security concern in that perspective.