Hi, On Sun, Jan 23, 2005 at 08:28:47PM -0500, Justin Pryzby wrote: > On Sun, Jan 23, 2005 at 05:42:04PM -0500, pryzbyj wrote: > > tags 281655 patch > > thanks > > > > I've included a 2-line patch which implements some output > > sanitization. I can't find any other instance where this is a > > problem, but don't take my word for it; I haven't followed the code > > *that* closely. > > > > Since info filenames/titles can be named anything (which is a Good > > Thing), the way to handle this is to escape '<' (and '>' while we're > > at it). This prevents anyone from sticking any html anywhere. > > > > I would also like to see this code use perl -T (for testing, as well > > as for installation, I think). I will probably play with this later > > tonight. > > > > I've never used perl -T before and it may very well break this program > > horribly. > It broke it, but not horribly. The only complain (check apache's > error log) is about $ENV{'PATH'}. The Debian fix is to just set > $ENV{'PATH'}="/bin:/usr/bin" (or even just leave it untouched, maybe). > > So, in addition to the previous patch, I suggest that the script runs > with #!/usr/bin/perl -T, and that the ENV variable is either set > absolutely, or not changed at all.
Thanks Justin for all the help and patches. I implemented most of your suggestions and some additional ones in a new patch (attached to this mail). Unfortunately, I don't think escaping '<' and '>' will suffice. IIRC there exist XSS exploits which don't use special characters at all, so it's quite hard to filter... But IMHO what we have now is a first good step. I'm CC'ing the security team (this was long overdue), maybe they have some more suggestions. If noone objects I'll upload a new info2www package with the attached patch to unstable. The security announce and uploads to stable will be handled by the security team, right? Thanks, Uwe. -- Uwe Hermann <[EMAIL PROTECTED]> http://www.hermann-uwe.de | http://www.crazy-hacks.org http://www.it-services-uh.de | http://www.phpmeat.org http://www.unmaintained-free-software.org | http://www.holsham-traders.de
--- info2www 2005-01-30 21:06:37.000000000 +0100 +++ info2www.new 2005-01-31 05:02:03.000000000 +0100 @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/perl -T # # info2www - Gateway between GNU Info nodes and WWW $id = '$Id: info2www,v 1.2.2.9 1996/07/02 08:44:12 lmdrsm Exp $ '; @@ -82,8 +82,11 @@ # Set the PATH so that the ZCAT and GZCAT programs can be found # -$ENV{'PATH'} =~ s!:$!!; -$ENV{'PATH'} .= ":/bin:/usr/bin"; +#$ENV{'PATH'} =~ s!:$!!; +#$ENV{'PATH'} .= ":/bin:/usr/bin"; + +# Security: Hardcoded paths, so malicious tampering with PATH is not possible. +$ENV{'PATH'} = "/bin:/usr/bin"; # # ZCAT is the program to use for reading compressed files (*.Z) @@ -1138,6 +1141,15 @@ # Print an HTML error message sub Error { local($reason) = @_; + + # Security checks to prevent at least _some_ forms of XSS attacks. + # TODO: This is far from complete, more checks need to be done! + $reason =~ s/</</gs; + $reason =~ s/>/>/gs; + $reason =~ s/&/&/gs; + $reason =~ s/"/"/gs; + $reason =~ s/#//gs; + print "<STRONG>Sorry! - $reason</STRONG>\n<P>\n"; return(0); }