affects OMERO versions 5.2.7 and earlier
A user could create an OriginalFile and adjust its path such that it now points to another user's file on the underlying filesystem, then manipulate the user's data.
The uniqueness constraint on (path, name, repo) does not prevent this because of the trick of using "/./" (maybe for some repos "/../") or whatever in the path. The fix is to disallow new path/name with ".." and "." components when editing existing OriginalFile instances.
OMERO.server up to and including 5.2.7.
High severity.
None
All OMERO.servers should be upgraded to at least 5.2.8.
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.04.18