From 31353a95dd4fb43a13a67b549cad214c214c2302 Mon Sep 17 00:00:00 2001
From: Yusuke Iwase <iwase.yusuke0@gmail.com>
Date: Mon, 10 Nov 2014 13:44:33 +0900
Subject: [PATCH] fix security problem of some RESTful apps

I'm very sorry I didn't include rest_firewall.py and rest_qos.py in my patch.
I suggested for ofctl_rest.py only...

Here is the patch for rest_firewall.py and rest_qos.py.

---------------------------------------------------------------
Subject: [PATCH] fix security problem of some RESTful apps

It is not safe to use eval function because input data(request body) is not checked
For example, someone can send this data to remove all files in the directory
"import('os').system('rm -rf .')"

I suggest to use json.loads to parse the request body if the data is json format
or disable builtin functions like:
eval(req.body, {"__builtins__":None})

Signed-off-by: Takeshi <a86487817@gmail.com>
Signed-off-by: IWASE Yusuke <iwase.yusuke0@gmail.com>
Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
---
 ryu/app/rest_firewall.py | 4 ++--
 ryu/app/rest_qos.py      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ryu/app/rest_firewall.py b/ryu/app/rest_firewall.py
index 01eb6e27..4e52b1fc 100644
--- a/ryu/app/rest_firewall.py
+++ b/ryu/app/rest_firewall.py
@@ -492,7 +492,7 @@ class FirewallController(ControllerBase):
 
     def _set_rule(self, req, switchid, vlan_id=VLANID_NONE):
         try:
-            rule = eval(req.body)
+            rule = json.loads(req.body)
         except SyntaxError:
             FirewallController._LOGGER.debug('invalid syntax %s', req.body)
             return Response(status=400)
@@ -516,7 +516,7 @@ class FirewallController(ControllerBase):
 
     def _delete_rule(self, req, switchid, vlan_id=VLANID_NONE):
         try:
-            ruleid = eval(req.body)
+            ruleid = json.loads(req.body)
         except SyntaxError:
             FirewallController._LOGGER.debug('invalid syntax %s', req.body)
             return Response(status=400)
diff --git a/ryu/app/rest_qos.py b/ryu/app/rest_qos.py
index 057a3fdd..537639f1 100644
--- a/ryu/app/rest_qos.py
+++ b/ryu/app/rest_qos.py
@@ -499,7 +499,7 @@ class QoSController(ControllerBase):
 
     def _access_switch(self, req, switchid, vlan_id, func, waiters):
         try:
-            rest = eval(req.body) if req.body else {}
+            rest = json.loads(req.body) if req.body else {}
         except SyntaxError:
             QoSController._LOGGER.debug('invalid syntax %s', req.body)
             return Response(status=400)