KitzKikz  KitzKikz: SogudiIssues_20060101   RecentChanges 
 PopularPages 
 SearchPages 
 Home | Trail - SogudiIssues_2006... > TranslateSogudi > SogudiIssues_2006...
 
 

TITLE: Security bug.

PROBLEM:

Shell command called w/o input verification. This should not happen ... please read a book about basic programming stuff.

man:huhu;touch

<a href="man:huhu;touch">do anything i want</a>

make a regex s/[^A-Za-z0-9_-]//g on the input.

regards, Tom Bille

RESPONSE:

Hey, let's not get insulting here. Mentioning a "basic" programming book, internet security, and regular expressions all in one breath is a bit over the top. I actually do scan the input, but apparently missed the semicolon among others. Regex's aren't that easy to implement in Objective-C/Cocoa. Besides, your regex above doesn't cover all legitimate man uses. My current implementation doesn't either (SogudiIssues_20050413). I count on you, the considerate users, to find the things I've missed and to let me know about them in a respectful manner.

This is not as serious as it might look at first glance. While it does allow for arbitrary execution of a unix command, it doesn't allow for arguments to be passed to that command. I have difficulty thinking of a single word unix command that could be disastrous, but one probably does exist. After munging around a bit, I have been able to get a single argument to pass to the extra command, so that could become a serious threat. Either way, you are absolutely correct that it should be fixed.

SOLUTION:

Will be fixed in the next release of Sogudi, due to come out at the end of January 2006.

STATUS: OPEN

 

   

 
 EditThisPage · LinksToPage · PageInfo 01/01/06 16:02:11  ·  0.0377s