Bug#129104: bug 129104 (buffer overflow + template reading in cgiemail)
Hello, thank you for helping/offering to help!
I had released a new version with an almost-correct fix for the buffer
overflow problem last night, and just looked at your mail to the bug
this afternoon. My fix was almost the same as yours; it used
CGI_ERRMSG_MAX-1 instead of CGI_ERRMSG_MAX. My next upload will use
your correct version.
That leaves the other stuff... the main problem is the template files,
and I like the solution you suggested (restricting them to a specific
directory). The relevant code, I think, is in the
cgi_standard_{email,echo,file} functions at the end of cgilib.c
(beginning on line 1010).
Hmm, one problem that just occurred to me is that we can't easily make
the location of the template files a compile-time option because people
reconfigure their webservers to have different document roots, and the
current design of cgiemail requires the template files to have
PATH_TRANSLATEDs. That means, I guess, that configuration file parsing
might have to be added.
Maybe could restrict to files with extension .CGIEMAIL_TEMPLATE.
Do you have any other ideas, or a preference between these two?
The other issue is that it uses mkstemp() which is not very secure. I
don't guess that this is exploitable, but should be fixed at some point.
Again, thanks for your help, Colin.
thomas
--
Thomas "resc" Smith <tgs@finbar.dyndns.org>
web: http://finbar.dyndns.org/
gpg key id 1024D/ACABA81E, fingerprint:
3A47 CFA5 0E5D CF4A 5B22 12D3 FF1B 84FE ACAB A81E
Reply to: