Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
On 12/24/18 10:40 PM, Roberto C. Sánchez wrote:
> There are two command templates involved in this section of code:
> rshcommand and sshcommand. The two for loops each operate on a
> different command template.
Ah ahn.. I missed that single byte difference, thanks.
> Yes, the description could certainly use more detail. That said, I did
> include this in my original post:
> I also wondered whether it was possible to cause the vulnerability
> without a space in the hostname (somewhat related to the first
> question). In any event, I concluded that the question of whether
> something is a valid hostname might be a bit complex to tackle and
> despite numerous attempts I was not able to exploit the
> vulnerability without the space between the host name and the
> command switch '-'.
> I suppose it would be possible to apply the approach of counting tokens
> to the host variable to ensure that it only contains a single token.
> However, I do not think that is any better or worse than the approach I
> came up with.
What about "shell escaping" the host name? Not sure about escaping the
other parameters too..but that shouldn't harm.
It should be the best security practice against command injection, AFAIK.