Re: [dev][project] soap - a simple xdg-open replacement

From: 7heo <7heo_AT_mail.com>
Date: Sun, 04 May 2014 18:01:22 +0200

On 5/4/2014 5:25 PM, FRIGN wrote:
> What Chris is concerned about is making a mistake in the config.h,
> calling a program like watch(1), which accepts arguments like this:
> watch 'ls -l /tmp | grep tmp'
> Now, Chris' concern is, if you put watch like this in your config.h,
> which means:
> "watch 'ls -l /tmp | grep %s'"
> It might be possible to exploit this by calling xdg-open with a command
> like this:
> ;rm -rf /;
> which is transformed internally to
> ';rm -rf /;' --> "watch 'ls -l /tmp | grep ;rm -rf /;'"
>
> Imho, this is a valid concern as far as the consciousness of the user
> goes. However, it actually is irrelevant if you know the shell-quirks.
> This is a problem which even has to be adressed in any shell-script
> accepting arguments.
> As a second layer of security, you might want to be very strict with
> the regexes.

That's something any suckless software should never do. User
hand-holding is contrary to the suckless philosophy, as far as I know,
and any command that can execute other commands (such as watch(1),
sudo(8), exec (shell builtin), and so on) should be used with extreme
caution, as WITH ANY OTHER BINARY/SCRIPT.

If your software is going to keep system(), you should document that and
warn the user about the possibility of an injection in the parameters if
the called binaries are not behaving safely.

The other solution to drop system() (and use execve(2) or any other
calls to it - exec(3), along with execl, execlp, execle, execv, execvp,
execvpe - to call a shell script or binary that does what you want for
each file type) that Chris seems to want would defer the problem to the
script, which, if it is behaving unsafely, will be introducing the same
security issues.
Received on Sun May 04 2014 - 18:01:22 CEST

This archive was generated by hypermail 2.3.0 : Sun May 04 2014 - 18:12:06 CEST