The A List Apart Blog Presents:

Pattern Library Security Vulnerability

Article Continues Below

If you’re running a version of the ALA pattern library that’s more than a few weeks old on a public server, please update it right away. The script that powers the navigation in the pattern library was found to have a pretty glaring security issue that would potentially allow read access to any file on a public webserver, even outside of the web root. If you’re running the pattern library locally there’s nothing to worry about—but you should pull the latest from the repository just the same.

To view the patterns in isolation, a small PHP script checks for a path variable in the URL then uses include() to pull a snippet of code on the page. If that variable isn’t present, all the patterns are rendered instead.

Unfortunately, where this pattern library script had really only been used on internal projects, it operated on a certain level of trust—whatever was passed in that path variable would be included on the page, without restriction or filtering. This meant that a path pointing outside of the pattern library root—or even the web server’s public root—could be rendered on a public page. Permissions settings aside, this meant the potential for public access to any file on a server hosting the pattern library.

This issue has since been resolved, and any inputs thoroughly sanitized. We’re now ensuring that special characters are escaped, that the path variable can’t point to any parent directory, and that the file being included has an .html extension.

In terms of lines of code, this was a very small issue—resolved in about fifteen minutes, if even that. In terms of security impact, it meant largely unrestricted access to any file on any public-facing server that hosted the pattern library—a serious issue.

The lesson here is to always sanitize your inputs—even in code that isn’t meant to be released to the public, just in case.

Thanks to @linssen for pointing the issue out to us.

2 Reader Comments

Got something to say?

We have turned off comments, but you can see what folks had to say before we did so.

More from ALA

A Content Model Is Not a Design System

Why do so many content models still look more like design systems rather than reflecting structured data? Mike Wills takes us on a personal journey as he examines his own past experiences and invites us to conceive content models that articulate meaning and group related content together for use on any channel.

Voice Content and Usability

In this excerpt from Voice Content and Usability, author Preston So talks about the messy, primordial nature of human speech and challenges with programming computers to deal with these complexities.

Designing for the Unexpected

As devices continue to diversify in dizzying ways, how can we make sure our work on the web stays as relevant as ever for the long haul? Cathy Dutton shares how practitioners must perfect designs both for the paradigms of the present and the twists of the future, come what may.