Hi Shigio,
Thanks for getting involved.
Shigio YAMAGUCHI <shigio@gnu.org> writes:
> Hello all,
>
> 2016 23:32:44 +1030, Ron wrote:
>> open(PIPE, '@globalpath@' . " --result=ctags-xid $flags $pattern |");
>>
>> Which for those who don't speak it, is perl for "anyone can execute
>> arbitrary shell commands by typing them into a web browser", since
>> $pattern is an unsanitised, untrusted, input from the query string.
>
> This code is for Windows; it is not used in UNIX.
> Ron's quotation seems to be part of the following code:
>
> ------------------------------------------------------------------------------
> [global.cgi.tmpl.in] (global-6.5.2)
> ------------------------------------------------------------------------------
> if ($^O eq 'MSWin32') {
> open(PIPE, '@globalpath@' . " --result=ctags-xid $flags $pattern
> |");
> } else {
> open(PIPE, "-|") || exec '@globalpath@', '--result=ctags-xid',
> $flags, $pattern;
Is it not the case that this last line forks and execs global, passing
$pattern as a parameter to global's -e option, and that $pattern is
untrusted input?
Looking at global.c it seems that before it is passed on to popen, it is
run through quote_shell() which quotes any single-quotes in the string.
That seems to deal with Ron's assertion that it's exploitable, although
I have a slight feeling of impending doom about relying upon just this.
Would it not be wise to make the network-facing perl code runnable with
strict and taint turned on, if only to stop people reacting with horror
at first glance?
I presume patches would be welcome?
Cheers, Phil.
--
|)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd.
|-| http://www.hands.com/ http://ftp.uk.debian.org/
|(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY
Attachment:
signature.asc
Description: PGP signature