KitzKikz  KitzKikz: SogudiIssues_20060101   RecentChanges 
 PopularPages 
 SearchPages 
 Home | Trail - TranslateSogudi > SogudiIssues_2007... > BookListAuthorRingo > WineMakingBatch01... > SogudiIssues_2006...
 

  __TITLE:__ Serious security bug.
__TITLE:__ Security bug.

__PROBLEM:__

Shell command called w/o input verification. This shouldnot happen ... please read a book about basic programming stuff.
Shell command called w/o input verification. This should not happen ... please read a book about basic programming stuff.

man:huhu;touch

<a href="man:huhu;touch">do anything i want</a>

__RESPONSE:__

__SOLUTION:__

make a regex s/![^A-Za-z0-9_-]//g on the input.

regards,
Tom Bille

__RESPONSE:__

Hey, let's not get insulting here. Mentioning a "basic" programming book, internet security, and regular expressions all in one breath is a bit over the top. I actually do scan the input, but apparently missed the semicolon among others. Regex's aren't that easy to implement in Objective-C/Cocoa. Besides, your regex above doesn't cover all legitimate man uses. My current implementation doesn't either (SogudiIssues_20050413). I count on you, the __considerate__ users, to find the things I've missed and to let me know about them in a __respectful__ manner.

This is not as serious as it might look at first glance. While it does allow for arbitrary execution of a unix command, it doesn't allow for arguments to be passed to that command. I have difficulty thinking of a single word unix command that could be disastrous, but one probably does exist. After munging around a bit, I have been able to get a single argument to pass to the extra command, so that could become a serious threat. Either way, you are absolutely correct that it should be fixed.

__SOLUTION:__

Will be fixed in the next release of Sogudi, due to come out at the end of January 2006.

__STATUS:__ OPEN
 

 
  ·  0.2299s