Colin Watson wrote:
> On Sun, Aug 03, 2003 at 07:48:43PM -0400, Matt Zimmerman wrote:
> > It might be a good idea to specify how quoting should be handled, both for
> > shell metacharacters and format specifiers.
>
> Odd, I thought I'd mentioned
> http://www.dwheeler.com/browse/secure_browser.html in this bug, but
> evidently not. man implements the "Compatible Secure BROWSER Definition"
> from that page. It's about 50 lines of C, not counting an escape_shell()
> utility function.
>
> We could also go for the Alternative definition on the same page, which
> acknowledges that you probably need a helper script anyway to do the
> complicated Netscape/Mozilla stuff and ditches the % characters
> entirely. I don't have any strong feelings about which to use.
That page was brought up in one of the thread leading to this bug
report. In my reply to you <20021119173925.GD5320@dragon.kitenet.net>,
I said:
I assume you mean the "compatible" alternative and not the "bare" one
(though there's something to be said for the bare one; wrappers are not
hard to write).
First of all, it's possible to write a program that uses ESR's BROWSER
without passing the url through the shell. Here is a modification of my
sensible-browser program that does that:
--- sensible-browser~ 2002-11-19 12:20:14.000000000 -0500
+++ sensible-browser 2002-11-19 12:20:31.000000000 -0500
@@ -11,7 +11,7 @@
else {
$_.=' '.$url;
}
- exec $_;
+ exec split ' ', $_;
# on failure, continue to next in list
}
Before:
joey@dragon:~>BROWSER='echo' ./sensible-browser 'http://;echo rm -rf /'
http://
rm -rf /
After:
joey@dragon:~>BROWSER='echo' ./sensible-browser 'http://;echo rm -rf /'
http://;echo rm -rf /
So is the increased complexity of making %s be converted to an "escaped
absolute reference" worth it? I note that the definition of "escaped
absolute reference" uses a hardcoded list of shell metacharacters to
escape. Such lists are often incomplete, I've seen exploits on bugtraq
of this kind of thing in the past. It seems easier to just program
defensively, not pull the shell into the picture, and not worry about
escaping.
The secure browser page does mention wanting to pass the BROWSER command
through the shell for backwards compatability (with what one wonders)
and to allow complicated shell expressions in BROWSER. I think that's a
bit of a non-starter; if you need something complicated you can
certianly write an external script. The complexity outweighs the gain.
How about we just add something like this to the proposal:
When implementing BROWSER in a program, be careful to not pass the URL
through the shell when running the browser commands, as the url might
contain shell metacharacters and there could be security problems. If
you must pass the URL through the shell, be careful to properly escape
it first.
Which, I think, ended that, although that paragraph was never added to the
proposal.
--
see shy jo, replaced with a mail archive grepper for this thread
Attachment:
pgp5QZkzZAVKh.pgp
Description: PGP signature