* Jason A. Donenfeld <[email protected]> [2012-10-28]: > On Sat, Oct 27, 2012 at 7:00 PM, Ben Boeckel <[email protected]> wrote: > > Single quote the arguments to the executable. This is ripe for code > > execution (remote_user is under attacker's control). > > Was going to mention this myself, but you beat me too it. Dead on. > Correctamundo. > > Please double double tripe triple check your code before submitting things.
I added the single quotes as suggested. When I looked at the code initially, I was reasoning that the remote_user is set by the authentication part, in our case this is Apache, which in turn asks LDAP. Furthermore, Apache sets the remote_user and forward to cgit only if the user is actually a valid user. So my assumption was, that remote_user is not under the attackers control. I guess I need some more help to understand why I am mistaken about this. Is it the case that the assumption fails, if an attacker can inject something into LDAP he may be able to pass through apache successfully and then have his exploit, which is in remote_user, be executed on the machine which is running cgit? V- _______________________________________________ cgit mailing list [email protected] http://hjemli.net/mailman/listinfo/cgit
