[pmwiki-users] Faster searches and categories
Patrick R. Michaud
pmichaud at pobox.com
Mon Sep 12 15:39:16 CDT 2005
On Mon, Sep 12, 2005 at 04:27:15PM -0400, Martin Fick wrote:
> > As an aside, I'm concerned that the $ginclp variable in
> > grepsearch.php makes it possible for anyone to execute
> > arbitrary commands on the server-- consider the effect of
> > (if you attempt this, do it on a BACKUP!):
> >
> > (:pagelist 'foo bar ; rm -rf . ; echo' :)
> >
> > which I think causes the executed shell command to become
> >
> > cd wiki.d; F=`find . -type f |grep -v '^\./\.'`;
> > grep -l -i -e foo bar ; rm -rf \. ; echo \$F |sed -es'|^.*/||g'
> >
> > which would be a really Bad Thing. So there needs to be
> > some sort of guards put in place to prevent that sort of
> > thing from happening...
>
> Hmm, I was not aware that users could use quotes to get
> filenames through like that!
Oh yes, it's a very difficult problem, as a result the
system() command is generally considered to be very unsafe --
especially if any of the arguments or inputs to the command
come from user input.
> This does not seem to happen because for some reason /s are
> replaced with \s making paths unreadable. I tried simpler
> safe versions and could not get them to work.
One can do a lot of damage even without having the ability
to create paths -- the cd command can be used to switch to
other directories before the command is executed...
But even so, are the slashes *replaced* by backslashes, or
is it just that a backslash appears in front of the existing
slash?
> Do you think this simple fix would safeguard things better:
>
> switch
> $ginclp .= "-e $ip ";
>
> to
> $ginclp .= "-e '$ip' ";
>
> or could single quotes get injected somehow?
Single quotes can be injected just as easily:
(:pagelist "foo' bar ; rm -rf . ; echo 'xyz":)
becomes
cd wiki.d; F=`find . -type f |grep -v '^\./\.'`;
grep -l -i -e 'foo' bar ; rm -rf \. ; echo 'xyz' \$F |sed -es'|^.*/||g'
Pm
More information about the pmwiki-users
mailing list