]] Didier 'OdyX' Raboud > Le jeudi, 8 décembre 2016, 23.32:44 h CET Ron a écrit : > > On Mon, Dec 05, 2016 at 10:13:05PM +0100, Philip Hands wrote: > > > Perhaps you'd be kind enough to either confirm or correct my perceptions > > > of the current situation: > > > Version 6 includes a CGI script that one is expected to install in a > > > manner so hopelessly insecure that we'd not accept it in Debian. > > > > For the version (…) that I nacked, which is where this appeal to the ctte > > started from, that's absolutely true. Not only did it have the 'chmod 777' > > interface to enable it, it had little gems in it like this too: > > > > open(PIPE, '@globalpath@' . " --result=ctags-xid $flags $pattern |"); > > > > Which for those who don't speak it, is perl for "anyone can execute > > arbitrary shell commands by typing them into a web browser", since > > $pattern is an unsanitised, untrusted, input from the query string. > > If you haven't yet, I urge you to use our standard interface to report such > bugs; please make sure issues like this one are public on our bugtracker, > with > correct found/notfound version markers. > > This also applies to group who has uploaded the experimental version: please > version-close bugs that this version fixes. > > For that specific Perl problem, I'd love to be enlightened in how the version > in 6.5.5 is significantly worse than the code in 5.7.1-3's global.cgi.tmpl: > > http://sources.debian.net/src/global/5.7.1-3/htags/global.cgi.tmpl/? > hl=152#L152
It's completely different. It's basically system(3) on a concatenated string with partial user-defined content vs execve(2) on a list of arguments (some of which are user-provided). perldoc -f exec and perldoc -f open might be useful. Using open like in the code snippet above is pretty much inexcusable in this day and age. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are
