Colin Watson wrote: > Seconded, with one proviso: can we standardize on the Compatible Secure > BROWSER Definition from > http://www.dwheeler.com/browse/secure_browser.html instead? This is what > man-db implements for the 'man -H' switch; ESR-style BROWSER variables > will still work as intended, but %c is added in order to permit a colon > in commands and it specifies what shell escaping is to be performed on > URLs to get rid of the hideous security flaws.
I assume you mean the "compatible" alternative and not the "bare" one
(though there's something to be said for the bare one; wrappers are not
hard to write).
First of all, it's possible to write a program that uses ESR's BROWSER
without passing the url through the shell. Here is a modification of my
sensible-browser program that does that:
--- sensible-browser~ 2002-11-19 12:20:14.000000000 -0500
+++ sensible-browser 2002-11-19 12:20:31.000000000 -0500
@@ -11,7 +11,7 @@
else {
$_.=' '.$url;
}
- exec $_;
+ exec split ' ', $_;
# on failure, continue to next in list
}
Before:
[EMAIL PROTECTED]:~>BROWSER='echo' ./sensible-browser 'http://;echo rm -rf /'
http://
rm -rf /
After:
[EMAIL PROTECTED]:~>BROWSER='echo' ./sensible-browser 'http://;echo rm -rf /'
http://;echo rm -rf /
So is the increased complexity of making %s be converted to an "escaped
absolute reference" worth it? I note that the definition of "escaped
absolute reference" uses a hardcoded list of shell metacharacters to
escape. Such lists are often incomplete, I've seen exploits on bugtraq
of this kind of thing in the past. It seems easier to just program
defensively, not pull the shell into the picture, and not worry about
escaping.
The secure browser page does mention wanting to pass the BROWSER command
through the shell for backwards compatability (with what one wonders)
and to allow complicated shell expressions in BROWSER. I think that's a
bit of a non-starter; if you need something complicated you can
certianly write an external script. The complexity outweighs the gain.
How about we just add something like this to the proposal:
When implementing BROWSER in a program, be careful to not pass the URL
through the shell when running the browser commands, as the url might
contain shell metacharacters and there could be security problems. If
you must pass the URL through the shell, be careful to properly escape
it first.
--
see shy jo
pgpVtLxhnP83E.pgp
Description: PGP signature
