[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#841294: Overrule maitainer of "global" to package a new upstream version

Hello all,

2016 23:32:44 +1030, Ron wrote:
> open(PIPE, '@globalpath@' . " --result=ctags-xid $flags $pattern |");
>
> Which for those who don't speak it, is perl for "anyone can execute
> arbitrary shell commands by typing them into a web browser", since
> $pattern is an unsanitised, untrusted, input from the query string.

This code is for Windows; it is not used in UNIX.
Ron's quotation seems to be part of the following code:

------------------------------------------------------------------------------
[global.cgi.tmpl.in] (global-6.5.2)
------------------------------------------------------------------------------
if ($^O eq 'MSWin32') {
        open(PIPE, '@globalpath@' . " --result=ctags-xid $flags $pattern |");
} else {
        open(PIPE, "-|") || exec '@globalpath@', '--result=ctags-xid', $flags, $pattern;
        if ($?) {
                error_and_exit("Cannot execute global.");
        }
}
------------------------------------------------------------------------------

Though I don't recognize it is a security hole on Windows, I don't know whether
it is true in the future. So, it is commented out in the latest release now.

------------------------------------------------------------------------------
[global.cgi.in] (global-6.5.5)
------------------------------------------------------------------------------
if ($^O eq 'MSWin32') {
        #
        # This code was commented out, because it may have a security hole in the
        # future.  To use this code, please uncomment in your own responsibility.
        #
        #open(PIPE, "$global_command" . " --result=ctags-xid $flags \"$pattern\" |");
        error_and_exit("Feature not implemented.");
} else {
        open(PIPE, "-|") || exec "$global_command", '--result=ctags-xid', $flags, $pattern;
        if ($?) {
                error_and_exit("Cannot execute global.");
        }
}
------------------------------------------------------------------------------

Please see the following thread, for the details.

[A CGI security hole on Windows?]
http://lists.gnu.org/archive/html/bug-global/2016-03/msg00002.html


2016 19:05:55 +0000, Wookey wrote:
> The .cgi scripts are generated from .in files which are correctly
> parameterised with @PERLPATH@ and @GLOBALPATH@ etc. Upstream
> unhelpfully ships pre-generated versions with the above arbitrary
> local paths, but we kicked the build to force regeneration of these so
> that all the scripts come out with correct debian paths. That was in
> 6.5.5-0.1 and is in 6.5.5-0.2 (with ctags path set correctly
> too). Please file a bug if we missed any.

It's my mistake. I will fix it soon.

It is helpful if these bug reports are sent to bug-global@gnu.org.
Thank you in advance.

Regards,
Shigio

-- 
Shigio YAMAGUCHI <shigio@gnu.org>
PGP fingerprint: D1CB 0B89 B346 4AB6 5663  C4B6 3CA5 BBB3 57BE DDA3
A long mail is hell.
               -- An anonymous philosopher in ancient Greece
Reply to: