[pmwiki-users] Faster searches and categories

Patrick R. Michaud pmichaud at pobox.com
Mon Sep 12 15:39:16 CDT 2005


On Mon, Sep 12, 2005 at 04:27:15PM -0400, Martin Fick wrote:
> > As an aside, I'm concerned that the $ginclp variable in 
> > grepsearch.php makes it possible for anyone to execute 
> > arbitrary commands on the server-- consider the effect of
> > (if you attempt this, do it on a BACKUP!):
> > 
> >     (:pagelist 'foo bar ; rm -rf . ; echo' :)
> > 
> > which I think causes the executed shell command to become
> > 
> >     cd wiki.d; F=`find . -type f |grep -v '^\./\.'`; 
> >     grep -l -i -e foo bar ; rm -rf \. ; echo \$F |sed -es'|^.*/||g'
> > 
> > which would be a really Bad Thing.  So there needs to be
> > some sort of guards put in place to prevent that sort of
> > thing from happening...
> 
> Hmm, I was not aware that users could use quotes to get
> filenames through like that!  

Oh yes, it's a very difficult problem, as a result the 
system() command is generally considered to be very unsafe --
especially if any of the arguments or inputs to the command
come from user input.

> This does not seem to happen because for some reason /s are
> replaced with \s making paths unreadable.  I tried simpler 
> safe versions and could not get them to work.

One can do a lot of damage even without having the ability
to create paths -- the cd command can be used to switch to
other directories before the command is executed...

But even so, are the slashes *replaced* by backslashes, or
is it just that a backslash appears in front of the existing
slash?

> Do you think this simple fix would safeguard things better:
> 
> switch
>     $ginclp .= "-e $ip ";
> 
> to
>     $ginclp .= "-e '$ip' ";
> 
> or could single quotes get injected somehow?

Single quotes can be injected just as easily:

   (:pagelist "foo' bar ; rm -rf . ; echo 'xyz":)

becomes

    cd wiki.d; F=`find . -type f |grep -v '^\./\.'`; 
    grep -l -i -e 'foo' bar ; rm -rf \. ; echo 'xyz' \$F |sed -es'|^.*/||g'

Pm




More information about the pmwiki-users mailing list