Bug#841294: Overrule maitainer of "global" to package a new upstream version
]] Didier 'OdyX' Raboud
> Le jeudi, 8 décembre 2016, 23.32:44 h CET Ron a écrit :
> > On Mon, Dec 05, 2016 at 10:13:05PM +0100, Philip Hands wrote:
> > > Perhaps you'd be kind enough to either confirm or correct my perceptions
> > > of the current situation:
> > > Version 6 includes a CGI script that one is expected to install in a
> > > manner so hopelessly insecure that we'd not accept it in Debian.
> >
> > For the version (…) that I nacked, which is where this appeal to the ctte
> > started from, that's absolutely true. Not only did it have the 'chmod 777'
> > interface to enable it, it had little gems in it like this too:
> >
> > open(PIPE, '@globalpath@' . " --result=ctags-xid $flags $pattern |");
> >
> > Which for those who don't speak it, is perl for "anyone can execute
> > arbitrary shell commands by typing them into a web browser", since
> > $pattern is an unsanitised, untrusted, input from the query string.
>
> If you haven't yet, I urge you to use our standard interface to report such
> bugs; please make sure issues like this one are public on our bugtracker, with
> correct found/notfound version markers.
>
> This also applies to group who has uploaded the experimental version: please
> version-close bugs that this version fixes.
>
> For that specific Perl problem, I'd love to be enlightened in how the version
> in 6.5.5 is significantly worse than the code in 5.7.1-3's global.cgi.tmpl:
>
> http://sources.debian.net/src/global/5.7.1-3/htags/global.cgi.tmpl/?
> hl=152#L152
It's completely different. It's basically system(3) on a concatenated
string with partial user-defined content vs execve(2) on a list of
arguments (some of which are user-provided).
perldoc -f exec and perldoc -f open might be useful.
Using open like in the code snippet above is pretty much inexcusable in
this day and age.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: