Re: Reminder: $EDITOR with spaces?

On Sun, Apr 28, 2002 at 11:28:56PM +0200, Marcus Comstedt wrote:
>
> As I've said before, the unsafe/exploit point is moot. We're running
> any binary/script of the users choice. That in itself is as big an
> "exploit" as you could possibly hope to get. system() in itself adds
> nothing in this department. If I wan't "echo >/etc/passwd" to be
> executed, I can just put that in a script and use the name of the
> script as $EDITOR.
>

Historically, many vulnerabilities have resulted from insufficient
input validation around system() calls. Considering the complexity
of /bin/sh, this is not suprising.

This will seem a little contrived, but it is an example:

Let's say an administrator wants to build s setuid-svn executable
that is run as follows:

        mycommit foo

and will eventuall call, as uid=svn:

        EDITOR="/path/to/editor foo" svn commit

Let's not try to understand *why* the administrator might
want to do this, just that it is possible. :-)

One might think that, presuming that the executable
at /path/to/editor was capable of handling arbitrary
parameters, everything would be hunky-dory. But wait!
We're calling system()! That means $EDITOR gets passed
verbatim as, basically,

        execl("/bin/sh","sh","-c",$EDITOR,0);

So, let's say the user runs

        mycommit "foo; cp /bin/sh /tmp/; chmod 4777 /tmp/sh"

You can see where this goes wrong.

So, that means before we call system, either we need
to escape all semicolons (and pipes and backticks and ...)
or we need to warn the user "$EDITOR is passed verbatim
to system; you are probably *not* smart enough to protect
yourself from craftily constructed $EDITOR variables, so
we recommend that you don't build setuid applications that
can trigger $EDITOR."

--ben

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Apr 29 08:44:13 2002