[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#129104: bug 129104 (buffer overflow + template reading in cgiemail)

Hello, thank you for helping/offering to help!

I had released a new version with an almost-correct fix for the buffer
overflow problem last night, and just looked at your mail to the bug
this afternoon.  My fix was almost the same as yours; it used
CGI_ERRMSG_MAX-1 instead of CGI_ERRMSG_MAX.  My next upload will use
your correct version.

That leaves the other stuff...  the main problem is the template files,
and I like the solution you suggested (restricting them to a specific
directory).  The relevant code, I think, is in the
cgi_standard_{email,echo,file} functions at the end of cgilib.c
(beginning on line 1010).

Hmm, one problem that just occurred to me is that we can't easily make
the location of the template files a compile-time option because people
reconfigure their webservers to have different document roots, and the
current design of cgiemail requires the template files to have
PATH_TRANSLATEDs.  That means, I guess, that configuration file parsing
might have to be added.

Maybe could restrict to files with extension .CGIEMAIL_TEMPLATE.

Do you have any other ideas, or a preference between these two?

The other issue is that it uses mkstemp() which is not very secure.  I
don't guess that this is exploitable, but should be fixed at some point.

Again, thanks for your help, Colin.

Thomas "resc" Smith <tgs@finbar.dyndns.org>
web: http://finbar.dyndns.org/
gpg key id 1024D/ACABA81E, fingerprint:
3A47 CFA5 0E5D CF4A 5B22  12D3 FF1B 84FE ACAB A81E

Reply to: