Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QLExpress 3.3.2 Blacklist and whitelist bypass #295

Closed
L1aovo opened this issue Sep 14, 2023 · 1 comment
Closed

QLExpress 3.3.2 Blacklist and whitelist bypass #295

L1aovo opened this issue Sep 14, 2023 · 1 comment

Comments

@L1aovo
Copy link

L1aovo commented Sep 14, 2023
edited
Loading

The content of this issue has been deleted due to RCTF2024
@DQinYuan
Copy link
Collaborator

DQinYuan commented Sep 16, 2023
edited
Loading

其实 QLExpress 更多是给公司内部的运营系统配置, 也就是可信的人来配置的, 不是用来对公司外部执行脚本的, 所以安全性之前没有做的这么强.

黑名单只是为了兼容历史而存在的, 不保证安全.
白名单构造函数上确实存在问题, 我们修复下.
对外部输入的脚本还是建议用沙箱模式, 纯当个表达式语言用.

@DQinYuan DQinYuan mentioned this issue Dec 9, 2023
Merged
DQinYuan added a commit that referenced this issue Mar 31, 2024
@DQinYuan
Merge pull request #302 from taokan/issue295
c59a8a7 
#295
@L1aovo L1aovo closed this as completed May 21, 2024
@L1aovo L1aovo changed the title QLExpress 3.3.2 黑白名单绕过 Blacklist and whitelist bypass QLExpress 3.3.2 Blacklist and whitelist bypass May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DQinYuan @L1aovo