Colin Watson wrote: > On Sun, Aug 03, 2003 at 07:48:43PM -0400, Matt Zimmerman wrote: > > It might be a good idea to specify how quoting should be handled, both for > > shell metacharacters and format specifiers. > > Odd, I thought I'd mentioned > http://www.dwheeler.com/browse/secure_browser.html in this bug, but > evidently not. man implements the "Compatible Secure BROWSER Definition" > from that page. It's about 50 lines of C, not counting an escape_shell() > utility function. > > We could also go for the Alternative definition on the same page, which > acknowledges that you probably need a helper script anyway to do the > complicated Netscape/Mozilla stuff and ditches the % characters > entirely. I don't have any strong feelings about which to use. That page was brought up in one of the thread leading to this bug report. In my reply to you <20021119173925.GD5320@dragon.kitenet.net>, I said: I assume you mean the "compatible" alternative and not the "bare" one (though there's something to be said for the bare one; wrappers are not hard to write). First of all, it's possible to write a program that uses ESR's BROWSER without passing the url through the shell. Here is a modification of my sensible-browser program that does that: --- sensible-browser~ 2002-11-19 12:20:14.000000000 -0500 +++ sensible-browser 2002-11-19 12:20:31.000000000 -0500 @@ -11,7 +11,7 @@ else { $_.=' '.$url; } - exec $_; + exec split ' ', $_; # on failure, continue to next in list } Before: joey@dragon:~>BROWSER='echo' ./sensible-browser 'http://;echo rm -rf /' http:// rm -rf / After: joey@dragon:~>BROWSER='echo' ./sensible-browser 'http://;echo rm -rf /' http://;echo rm -rf / So is the increased complexity of making %s be converted to an "escaped absolute reference" worth it? I note that the definition of "escaped absolute reference" uses a hardcoded list of shell metacharacters to escape. Such lists are often incomplete, I've seen exploits on bugtraq of this kind of thing in the past. It seems easier to just program defensively, not pull the shell into the picture, and not worry about escaping. The secure browser page does mention wanting to pass the BROWSER command through the shell for backwards compatability (with what one wonders) and to allow complicated shell expressions in BROWSER. I think that's a bit of a non-starter; if you need something complicated you can certianly write an external script. The complexity outweighs the gain. How about we just add something like this to the proposal: When implementing BROWSER in a program, be careful to not pass the URL through the shell when running the browser commands, as the url might contain shell metacharacters and there could be security problems. If you must pass the URL through the shell, be careful to properly escape it first. Which, I think, ended that, although that paragraph was never added to the proposal. -- see shy jo, replaced with a mail archive grepper for this thread
Attachment:
pgp5QZkzZAVKh.pgp
Description: PGP signature