KitzKikz  KitzKikz: SogudiIssues_20060101   RecentChanges 
 PopularPages 
 SearchPages 
 Home | Trail - TranslateSogudi > BookListAuthorFlint > SogudiIssues_2006...
 

  __TITLE:__ Security bug.

__PROBLEM:__

Shell command called w/o input verification. This should not happen ... please read a book about basic programming stuff.

man:huhu;touch

<a href="man:huhu;touch">do anything i want</a>

make a regex s/![^A-Za-z0-9_-]//g on the input.

regards,
Tom Bille

__RESPONSE:__

Hey, let's not get insulting here. Mentioning a "basic" programming book, internet security, and regular expressions all in one breath is a bit over the top. I actually do scan the input, but apparently missed the semicolon among others. Regex's aren't that easy to implement in Objective-C/Cocoa. Besides, your regex above doesn't cover all legitimate man uses. My current implementation doesn't either (SogudiIssues_20050413). I count on you, the __considerate__ users, to find the things I've missed and to let me know about them in a __respectful__ manner.
Hey, let's not get insulting here. Mentioning a "basic" programming book, internet security, and regular expressions all in one breath is a bit over the top. I actually do scan the input for all sorts of stuff, but apparently missed the semicolon. Regex's aren't that easy to implement in Objective-C/Cocoa. Besides, your regex above doesn't cover all legitimate man uses. My current implementation doesn't either (SogudiIssues_20050413). I count on you, the __considerate__ users, to find the things I've missed and to let me know about them in a __respectful__ manner.

This is not as serious as it might look at first glance. While it does allow for arbitrary execution of a unix command, it doesn't allow for arguments to be passed to that command. I have difficulty thinking of a single word unix command that could be disastrous, but one probably does exist. After munging around a bit, I have been able to get a single argument to pass to the extra command, so that could become a serious threat. Either way, you are absolutely correct that it should be fixed.

Keep these tests and problems coming, folks. However, please try to refrain from calling me an idiot. Thanks.

__SOLUTION:__

Will be fixed in the next release of Sogudi, due to come out at the end of January 2006.

__STATUS:__ OPEN
 

 
  ·  0.0416s