Skip to content

[6.26] [http] sanitize URL options before use them#22364

Merged
linev merged 6 commits into
root-project:v6-26-00-patchesfrom
linev:http_sanity_626
May 21, 2026
Merged

[6.26] [http] sanitize URL options before use them#22364
linev merged 6 commits into
root-project:v6-26-00-patchesfrom
linev:http_sanity_626

Conversation

@linev
Copy link
Copy Markdown
Member

@linev linev commented May 21, 2026

Backport of #22186

linev added 5 commits May 21, 2026 07:56
@linev
[http] cleanup URL option before usage
b11ab85 
Remove any special symbols
Add escape characters for quote and escape itself
Discard all URL options longer than 1K

Try to avoid manipulation of arguments for method execution
@linev
[http] cleanup draw option in image production
b2ebf24 
Avoid special characters as draw arguments
@linev
[http] strictly check arguments in ProduceExe
aac1043 
Always use DecodeUrlOptionValue method when processing URL arguments
or URL string. Internally method provides escape symbols for quotes and backslash.
If expecting numeric value - remove all symbols
keeping alphanumeric, '.', '+', '-' and ':'
@linev
[http] introduce fAllowPostObject flag
64606bd 
It allows to deserialize post data as ROOT object when processing exe.json request.
While this can leads to arbitrary code loading and injection, disable this feature by default.
Can be enabled back with:
 ```
serv->SetAllowPostObject(kTRUE);
```
@linev
[http] analyze arguments of cmd.json
d9aca6d 
While here arbitrary string injected into ProcessLine,
ensure that only numeric argument is not quoted.
All other arguments kinds will be quoted and prevent execution of potentially dangerous code
@linev linev self-assigned this May 21, 2026
@linev linev requested a review from bellenot as a code owner May 21, 2026 05:58
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 21, 2026
edited
Loading

Test Results

    3 files      3 suites   9h 5m 37s ⏱️
2 328 tests 2 327 ✅ 0 💤 1 ❌
6 942 runs  6 941 ✅ 0 💤 1 ❌

For more details on these failures, see this check.

Results for commit fb34b18.

♻️ This comment has been updated with latest results.

@linev linev force-pushed the http_sanity_626 branch 3 times, most recently from 5819f74 to 97bfb9a Compare May 21, 2026 06:21
@linev
[test] add ROOT sniffer testing
fb34b18 
Verify execution of several supported requests
which can be handled by http server. Testing:
   - root.json
   - root.xml
   - file.root
   - exe.json
   - exe.json with POST data
   - item.json
   - cmd.json
   - multi.json

Also verify basic functionality of
TRootSniffer::DecodeUrlOptionValue method
@linev linev force-pushed the http_sanity_626 branch from 97bfb9a to fb34b18 Compare May 21, 2026 07:06
@linev linev merged commit ce9863f into root-project:v6-26-00-patches May 21, 2026
3 of 6 checks passed
@linev linev deleted the http_sanity_626 branch May 21, 2026 09:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bellenot bellenot Awaiting requested review from bellenot bellenot is a code owner

Assignees

@linev linev

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@linev