Opened 4 years ago

Closed 4 years ago

Last modified 3 years ago

#31907 closed Bug (fixed)

Inconsistent key validation checks in cache backends.

Reported by: Nick Pope Owned by: Nick Pope
Component: Core (Cache system) Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Nick Pope)

The fix for CVE2020-13254 ensured that validate_key() was called for most cache-related operations to avoid a potential get/set key-clash.

There are some other operations that are not properly validated in some of the backend (sub)classes:

  • LocMemcache.touch()
  • BaseMemcachedCache.delete_many()
  • MemcachedCache.touch()
  • MemcachedCache.get()
  • MemcachedCache.delete()
  • PyLibMCCache.touch()

The fix to this should also include a test to ensure that self.validate_key(key) is called for all operations to avoid this issue in future.

Note that this was originally raised via the security mailing list, but the decision was to handle this by raising a pull request.

The main concern here is the potential for data loss in the unvalidated delete() and delete_many() operations.

Change History (6)

comment:1 by Nick Pope, 4 years ago

Has patch: set

comment:2 by Nick Pope, 4 years ago

Description: modified (diff)

comment:3 by Carlton Gibson, 4 years ago

Triage Stage: UnreviewedAccepted

comment:4 by Mariusz Felisiak <felisiak.mariusz@…>, 4 years ago

In 9e04b242:

Refs #31907 -- Added cache key validation tests for cache operations.

comment:5 by Mariusz Felisiak <felisiak.mariusz@…>, 4 years ago

Resolution: fixed
Status: assignedclosed

In b5acb9db:

Fixed #31907 -- Fixed missing validate_key() calls in cache backends.

comment:6 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

In b8824e8:

Refs #31907 -- Fixed incorrect argument for delete_many() in cache tests.

Note: See TracTickets for help on using tickets.
Back to Top