Hello all,
2016 23:32:44 +1030, Ron wrote:
> open(PIPE, '@globalpath@' . " --result=ctags-xid $flags $pattern |");
>
> Which for those who don't speak it, is perl for "anyone can execute
> arbitrary shell commands by typing them into a web browser", since
> $pattern is an unsanitised, untrusted, input from the query string.
This code is for Windows; it is not used in UNIX.
Ron's quotation seems to be part of the following code:
------------------------------------------------------------------------------
------------------------------------------------------------------------------
if ($^O eq 'MSWin32') {
open(PIPE, '@globalpath@' . " --result=ctags-xid $flags $pattern |");
} else {
open(PIPE, "-|") || exec '@globalpath@', '--result=ctags-xid', $flags, $pattern;
if ($?) {
error_and_exit("Cannot execute global.");
}
}
------------------------------------------------------------------------------
Though I don't recognize it is a security hole on Windows, I don't know whether
it is true in the future. So, it is commented out in the latest release now.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
if ($^O eq 'MSWin32') {
#
# This code was commented out, because it may have a security hole in the
# future. To use this code, please uncomment in your own responsibility.
#
#open(PIPE, "$global_command" . " --result=ctags-xid $flags \"$pattern\" |");
error_and_exit("Feature not implemented.");
} else {
open(PIPE, "-|") || exec "$global_command", '--result=ctags-xid', $flags, $pattern;
if ($?) {
error_and_exit("Cannot execute global.");
}
}
------------------------------------------------------------------------------
Please see the following thread, for the details.
[A CGI security hole on Windows?]
2016 19:05:55 +0000, Wookey wrote:
> The .cgi scripts are generated from .in files which are correctly
> parameterised with @PERLPATH@ and @GLOBALPATH@ etc. Upstream
> unhelpfully ships pre-generated versions with the above arbitrary
> local paths, but we kicked the build to force regeneration of these so
> that all the scripts come out with correct debian paths. That was in
> 6.5.5-0.1 and is in 6.5.5-0.2 (with ctags path set correctly
> too). Please file a bug if we missed any.
It's my mistake. I will fix it soon.
Thank you in advance.
Regards,
Shigio
--
Shigio YAMAGUCHI <
shigio@gnu.org>
PGP fingerprint: D1CB 0B89 B346 4AB6 5663 C4B6 3CA5 BBB3 57BE DDA3
A long mail is hell.
-- An anonymous philosopher in ancient Greece