According to Geoff Hutchison:
> At 4:31 AM -0700 9/3/01, [EMAIL PROTECTED] wrote:
> >htdig version: 3.1.5-2, from debian pkg
> >Htsearch accepts "-c" command line parameter even when
> >running as
>
> I certainly remember adding the -c swtich to the command-line, but I
> don't remember anything about the CGI accepting it. Have I been
> asleep? (IMHO, this falls into the very bad category of accepting
> arbitrary CGI information, which is a no-no.)
>
> I'm also wondering about:
> char *configDir = getenv("CONFIG_DIR");
>
> which I don't remember--this also seems like a bad idea.
>
> If you have any thoughts about these, great. Otherwise, I'm going to
> suggest killing them for 3.1.6.
I don't think the CONFIG_DIR environment variable is a problem, because
there's no way that I know of to arbitrarily define environment variables
for a CGI program from the web client.
However, I did say some time back that I was very concerned about the
potential for abuse in the -c option to htsearch. The CGI program doesn't
have to do anything explicitly to accept it. It's just a normal part of
the CGI interface that the query string in the GET requests is decoded and
broken up into command line arguments passed to the CGI program. E.g.,
http://www.htdig.org/cgi-bin/htsearch?-c+/path/to/whatever/i/want
would do it! It's a much more limited vulnerability than the hole I
closed in 3.1.5 last year, but I still think we need to do something.
Trouble is, now that the option is there, it's being used quite a lot,
especially in wrapper scripts, so you can expect screams of protest if
we simply remove it.
So, any ideas about how we can avoid abuses like the URL above, or that
described in bug #458013, but still allow -c from a wrapper script or
shell command line? Maybe we can ignore -c when REQUEST_METHOD is set
to GET or POST, and allow it otherwise? CGI wrapper scripts that need to
use htsearch -c conf would then need to get the query string themselves,
and pass the query string to htsearch as an argument, and clear the
REQUEST_METHOD environment variable beforehand.
I suppose we could also have a compile time option to re-enable the old
behaviour for stubborn folks who'd rather put their systems at risk than
rewrite a wrapper. What do you think?
--
Gilles R. Detillieux E-mail: <[EMAIL PROTECTED]>
Spinal Cord Research Centre WWW: http://www.scrc.umanitoba.ca/~grdetil
Dept. Physiology, U. of Manitoba Phone: (204)789-3766
Winnipeg, MB R3E 3J7 (Canada) Fax: (204)789-3930
_______________________________________________
htdig-dev mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/htdig-dev
