[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Reminder: $EDITOR with spaces?

From: Marcus Comstedt <marcus_at_mc.pp.se>
Date: 2002-04-29 13:13:54 CEST

Mark Benedetto King <bking@answerfriend.com> writes:

> Historically, many vulnerabilities have resulted from insufficient
> input validation around system() calls. Considering the complexity
> of /bin/sh, this is not suprising.

Certainly. However, they are not really relevant here.

> This will seem a little contrived, but it is an example:
>
> Let's say an administrator wants to build s setuid-svn executable
> that is run as follows:
>
> mycommit foo
>
> and will eventuall call, as uid=svn:
>
> EDITOR="/path/to/editor foo" svn commit
>
> Let's not try to understand *why* the administrator might
> want to do this, just that it is possible. :-)

Here, the problem is not with svn using system(). Instead, the
problem is with the setuid program mycommit building a command line
from user input without proper quoting. A big no-no in any setuid
program. You can not expect svn to guard you against vulnerabilities
in _other_ programs. That's a "can't win, don't try" type scenario.

> So, that means before we call system, either we need
> to escape all semicolons (and pipes and backticks and ...)

No. That would defeat the main purpose of using system().

> or we need to warn the user "$EDITOR is passed verbatim
> to system; you are probably *not* smart enough to protect
> yourself from craftily constructed $EDITOR variables, so
> we recommend that you don't build setuid applications that
> can trigger $EDITOR."

Somebody who needs that warning probably wasn't fit to build setuid
applications in the first place... Anyway, if you do a setuid app you
need to reset $EDITOR regardless. It doesn't take any "craftily
constructed $EDITOR variables" to exploit a setuid program that calls
$EDITOR. You can even leave it set to "emacs", just do M-x shell when
Emacs starts and you'll be able to use the privileges for anything.

  // Marcus

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Apr 29 13:17:52 2002

This is an archived mail posted to the Subversion Dev mailing list.