[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Reminder: $EDITOR with spaces?

From: Marcus Comstedt <marcus_at_mc.pp.se>
Date: 2002-04-29 20:37:17 CEST

Mark Benedetto King <bking@answerfriend.com> writes:

> > > and will eventuall call, as uid=svn:
> > >
> > > EDITOR="/path/to/editor foo" svn commit
> > >
> > > Let's not try to understand *why* the administrator might
> > > want to do this, just that it is possible. :-)
> >
> > Here, the problem is not with svn using system(). Instead, the
> > problem is with the setuid program mycommit building a command line
> > from user input without proper quoting. A big no-no in any setuid
>
> The problem is not with mycommit or with system(). It's with
> the way they're (hypothetically) interacting. mycommit is
> expecting execl() semantics and system() doesn't give those
> semantics. This has bitten many programmers many times.

No it isn't. Expecting execl() semantics would be expecting svn to
execute the binary "editor foo" (with a space in the filename) in the
directory "/path/to", because that's what execl() would have done.

> It might be a "can't win, don't use system()" type scenario,
> though. Look at gets(). It's so evil, that it has been
> thoroughly deprecrated. Is gets() secure? Sure, if it never
> runs with elevated privileges or if the stdin has been sufficient
> constrained so as to ensure that lines will always be short enough.
> Most people have decided, at least for gets(), that the answer
> is "don't use gets()".

Now you're confusing things. There is a perfectly good reason for not
using gets(): Using gets() will cause your program to crash on some
input. That is undesirable even if you are not concerned about
security aspects.

> > need to reset $EDITOR regardless. It doesn't take any "craftily
> > constructed $EDITOR variables" to exploit a setuid program that calls
> > $EDITOR. You can even leave it set to "emacs", just do M-x shell when
>
> Sure it does, if it the user expects execl() semantics
> and gets system() semantics.

If the program uses a $EDITOR entirely provided by the user, then
nothing crafty is needed to exploit it. If the program tries to
construct a $EDITOR using user input for some kind of argument, then
it isn't expecting execl() semantics, as that would not allow for any
arguments at all.

  // Marcus

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Apr 29 20:42:30 2002

This is an archived mail posted to the Subversion Dev mailing list.