Unidentified subject!

To: debian-policy@lists.debian.org
Subject: Unidentified subject!
From: Joey Hess <joeyh@debian.org>
Date: Tue, 19 Nov 2002 12:39:25 -0500
Message-id: <[🔎] 20021119173925.GD5320@dragon.kitenet.net>
Mail-followup-to: debian-policy@lists.debian.org
In-reply-to: <[🔎] 20021119154150.GB19018@riva.ucam.org>
References: <[🔎] 20021119003822.GA2878@dragon.kitenet.net> <[🔎] 20021119154150.GB19018@riva.ucam.org>

Colin Watson wrote:
> Seconded, with one proviso: can we standardize on the Compatible Secure
> BROWSER Definition from
> http://www.dwheeler.com/browse/secure_browser.html instead? This is what
> man-db implements for the 'man -H' switch; ESR-style BROWSER variables
> will still work as intended, but %c is added in order to permit a colon
> in commands and it specifies what shell escaping is to be performed on
> URLs to get rid of the hideous security flaws.

I assume you mean the "compatible" alternative and not the "bare" one
(though there's something to be said for the bare one; wrappers are not
hard to write).

First of all, it's possible to write a program that uses ESR's BROWSER
without passing the url through the shell. Here is a modification of my
sensible-browser program that does that:

--- sensible-browser~	2002-11-19 12:20:14.000000000 -0500
+++ sensible-browser	2002-11-19 12:20:31.000000000 -0500
@@ -11,7 +11,7 @@
 		else {
 			$_.=' '.$url;
 		}
-		exec $_;
+		exec split ' ', $_;
 		# on failure, continue to next in list
 	}

Before:

joey@dragon:~>BROWSER='echo' ./sensible-browser 'http://;echo rm -rf /'
http://
rm -rf /

After:

joey@dragon:~>BROWSER='echo' ./sensible-browser 'http://;echo rm -rf /'
http://;echo rm -rf /

So is the increased complexity of making %s be converted to an "escaped
absolute reference" worth it? I note that the definition of "escaped
absolute reference" uses a hardcoded list of shell metacharacters to
escape. Such lists are often incomplete, I've seen exploits on bugtraq
of this kind of thing in the past. It seems easier to just program
defensively, not pull the shell into the picture, and not worry about
escaping.

The secure browser page does mention wanting to pass the BROWSER command
through the shell for backwards compatability (with what one wonders)
and to allow complicated shell expressions in BROWSER. I think that's a
bit of a non-starter; if you need something complicated you can
certianly write an external script. The complexity outweighs the gain.

How about we just add something like this to the proposal:

  When implementing BROWSER in a program, be careful to not pass the URL
  through the shell when running the browser commands, as the url might
  contain shell metacharacters and there could be security problems. If
  you must pass the URL through the shell, be careful to properly escape
  it first.

-- 
see shy jo

Attachment: pgp7iWOi_t1mr.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: web browser url viewing proposal
  - From: Joey Hess <joeyh@debian.org>
- Re: Unidentified subject!
  - From: Colin Watson <cjwatson@debian.org>

References:
- web browser url viewing proposal
  - From: Joey Hess <joeyh@debian.org>
- Re: web browser url viewing proposal
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: web browser url viewing proposal
Next by Date: Re: web browser url viewing proposal
Previous by thread: Re: web browser url viewing proposal
Next by thread: Re: web browser url viewing proposal
Index(es):
- Date
- Thread