|
TITLE: Security bug. PROBLEM: Shell command called w/o input verification. This should not happen ... please read a book about basic programming stuff. man:huhu;touch <a href="man:huhu;touch">do anything i want</a> make a regex s/[^A-Za-z0-9_-]//g on the input. regards, Tom Bille RESPONSE: Hey, let's not get insulting here. Mentioning a "basic" programming book, internet security, and regular expressions all in one breath is a bit over the top. I actually do scan the input, but apparently missed the semicolon among others. Regex's aren't that easy to implement in Objective-C/Cocoa. Besides, your regex above doesn't cover all legitimate man uses. My current implementation doesn't either (SogudiIssues_20050413). I count on you, the considerate users, to find the things I've missed and to let me know about them in a respectful manner. This is not as serious as it might look at first glance. While it does allow for arbitrary execution of a unix command, it doesn't allow for arguments to be passed to that command. I have difficulty thinking of a single word unix command that could be disastrous, but one probably does exist. After munging around a bit, I have been able to get a single argument to pass to the extra command, so that could become a serious threat. Either way, you are absolutely correct that it should be fixed. SOLUTION: Will be fixed in the next release of Sogudi, due to come out at the end of January 2006. STATUS: OPEN
|
|