Hi Shigio, Thanks for getting involved. Shigio YAMAGUCHI <shigio@gnu.org> writes: > Hello all, > > 2016 23:32:44 +1030, Ron wrote: >> open(PIPE, '@globalpath@' . " --result=ctags-xid $flags $pattern |"); >> >> Which for those who don't speak it, is perl for "anyone can execute >> arbitrary shell commands by typing them into a web browser", since >> $pattern is an unsanitised, untrusted, input from the query string. > > This code is for Windows; it is not used in UNIX. > Ron's quotation seems to be part of the following code: > > ------------------------------------------------------------------------------ > [global.cgi.tmpl.in] (global-6.5.2) > ------------------------------------------------------------------------------ > if ($^O eq 'MSWin32') { > open(PIPE, '@globalpath@' . " --result=ctags-xid $flags $pattern > |"); > } else { > open(PIPE, "-|") || exec '@globalpath@', '--result=ctags-xid', > $flags, $pattern; Is it not the case that this last line forks and execs global, passing $pattern as a parameter to global's -e option, and that $pattern is untrusted input? Looking at global.c it seems that before it is passed on to popen, it is run through quote_shell() which quotes any single-quotes in the string. That seems to deal with Ron's assertion that it's exploitable, although I have a slight feeling of impending doom about relying upon just this. Would it not be wise to make the network-facing perl code runnable with strict and taint turned on, if only to stop people reacting with horror at first glance? I presume patches would be welcome? Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY
Attachment:
signature.asc
Description: PGP signature