On 29 September 2014 14:03, arisawa <[email protected]> wrote:
> today, we have a number of malicious request to our web server.
> assume a web server accept a request with a query
> query='fn#foo=fn%20foo%20{echo%20yes};%20echo%20no%0a’
>
but why should a web server put arbitrary data from a remote user
unrestrained into the environment?
even if rc used a restricted parser, as it stands you could still write
fn#cd=fn%20cd%20{do_horrible_thing}
and it would stand a good chance of doing the horrible thing if the web
server runs a shell script that does a cd.
really, as with Apache, the problem is the uncritical nature of the web
server.
it's probably reasonable to have rc use a parser that accepts only
functions, but that's for precision, not to fix a security problem
elsewhere.
