Re: [OpenWrt-Devel] "-n" comparison not working in Busybox 1.13.4
Hi all, A common workaround for this is to use [ "x$var" == "x" ] instead of [ -z "$var" ] and [ "x$var" != "x" ] instead of [ -n "$var" ] which doesn't exhibit the mentioned problem. Regards, Aleksandar Alina Friedrichsen wrote: > Hi! > > >> Thanks for explaining.. this makes perfectly sense and would be right if >> the metacharacter hadn't been enclosed in quotes. This should help the >> interpreter on its feet again.. shouldn't it? >> > > No the test utility or it's alias [ is designed as a normal external command > like every other command line tool in UNIX. > > instead of > x='=' > if [ -n "$x" ]; then > true > fi > you can write > x='=' > if /usr/bin/test -n "$x"; then # or maybe /bin/test > true > fi > > The quotes aren't passed to it like to every other command line tool. > > There are 2 Arguments, argument 1 is -n and argument 2 is =, that are all > informations that are passed to test, no quotes. > > Regards > Alina > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel > > > ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] "-n" comparison not working in Busybox 1.13.4
Hi all,
Alina Friedrichsen napsal(a):
Hi!
The correct syntax is [ -n "${var}" ] (notice the quotes).
Thanks to Vasilis.
A security notice:
It can become a security issue when any function is wrongly used in a security
context.
I would mark this one only as a general warning.
Don't use more then one expression in one test call.
You can freely use test concatenated by logical operators if you know how the
used shell handles them and prevent the wrong behavior by protecting variables.
It is just not portable.
Use instant two test calls:
if [ -z "$x" ] && [ -z "$y" ]; then
echo x and y are empty
fi
For example:
if [ "x$x" = x -a "x$y" = x ] ; then
or
if [[ -z "$x" && -z "$y" ]] ; then ## in bash
would do the same thing but either way is not portable (-a and [[).
if [ -z "$x" ] || [ -z "$y" ]; then
echo x or y is empty
fi
If more then one expression is done with test the comparison is exploitable.
It's a design error of the UNIX shell and can't be fixed.
I would not dare to say the one "UNIX shell". There are many shells. And every
one of them has its own issues or quirks or exceptions.
Busybox (the original complaint was targeted to it) claims its POSIX compliance
and it should handle -z/-n tests properly but the result is the same like in
bash. The good way to handle it safely is to use portable expressions.
Some of them are well documented differences, you can look to the Autoconf
manual. It has had to handle them to become a really multiplatform tool.
See for example:
http://www.gnu.org/software/autoconf/manual/html_node/Limitations-of-Builtins.html#index-g_t_0040command_007btest_007d-1431
Regards
Alina
Best regards,
Lubos
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] "-n" comparison not working in Busybox 1.13.4
Hi! > Thanks for explaining.. this makes perfectly sense and would be right if > the metacharacter hadn't been enclosed in quotes. This should help the > interpreter on its feet again.. shouldn't it? No the test utility or it's alias [ is designed as a normal external command like every other command line tool in UNIX. instead of x='=' if [ -n "$x" ]; then true fi you can write x='=' if /usr/bin/test -n "$x"; then # or maybe /bin/test true fi The quotes aren't passed to it like to every other command line tool. There are 2 Arguments, argument 1 is -n and argument 2 is =, that are all informations that are passed to test, no quotes. Regards Alina ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] "-n" comparison not working in Busybox 1.13.4
Alina Friedrichsen wrote:> > The test function can't know what do you mean if you have more then one > expression. > > With > [ -n = -a #[...] > you can mean that: > > 1. if the string "=" is non empty and something other is true > or > 2. if the string "-n" is equal to the string "-a" > > the function can't find out what expression do you want. It can't differ a > variable from a meta character. > > If you only use one expression per test call, than the tool can use the > argument length to find out what expression do you want. The bash, dash and > BusyBox ash do so. > Thanks for explaining.. this makes perfectly sense and would be right if the metacharacter hadn't been enclosed in quotes. This should help the interpreter on its feet again.. shouldn't it? .. bud ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] "-n" comparison not working in Busybox 1.13.4
Hello! > I too still fail to see what's the actual problem. The test utility does > exactly what it's supposed to do. > > Of course if you're using a poor method to parse the query string and > then pass the bits unchecked to "test" it could result in some weird > side effects. test is one of the main functions to check user input in this script language. There aren't much alternatives to it. > in this case > > [ -z "=" ] shouldn't result in ./test.sh: line 6: [: too many arguments > > apart from this bug? I still see no problem .. bud The test function can't know what do you mean if you have more then one expression. With [ -n = -a #[...] you can mean that: 1. if the string "=" is non empty and something other is true or 2. if the string "-n" is equal to the string "-a" the function can't find out what expression do you want. It can't differ a variable from a meta character. If you only use one expression per test call, than the tool can use the argument length to find out what expression do you want. The bash, dash and BusyBox ash do so. Regards Alina ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] "-n" comparison not working in Busybox 1.13.4
Alina Friedrichsen wrote:
> Hello!
>
>> well I doublechecked it .. and while you are right on the checked input, I
>> am sure that
>>
>> if [ -z "=" ] ...
>>
>> shouldn't throw an error .. I also tried simple quotes (')
>
> Yes, only one expression is no Problem in all shell implementations I have
> tested.
you are right here .. I missed that
if [ ! -z "$do_login" ] && [ "$user" == 'foo' -a "$password" == 'bar' ]; then
works, while
if [ ! -z "$do_login" -a "$user" == 'foo' -a "$password" == 'bar' ]; then
throws the error if do_login='='
>> @Alina: Do you have reason to believe this isn't bug? If yes, why.
>
> Whats isn't a bug? It's a design error. You can't implement a shell
> interpreter, that is compatible with the current syntax and don't have the
> Problem, that you can inject a expression with the value argument. It's like
> strcpy() in C.
>
Sorry I only see that test obviously handles one and the same situation
different, or better dies with a syntax error in one case. I am sure this is
not supposed to happen.
.. bud
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] "-n" comparison not working in Busybox 1.13.4
Hello!
> well I doublechecked it .. and while you are right on the checked input, I
> am sure that
>
> if [ -z "=" ] ...
>
> shouldn't throw an error .. I also tried simple quotes (')
Yes, only one expression is no Problem in all shell implementations I have
tested.
> On the other hand, you are right no security issue.
That depends on the situation where the comparison is done.
> Because the right way
> to authenticate of course would be..
Both ways are right, yours are only more common.
> and this wouldn't be flawed by the error. I am still not sure, if this is
> meant to be.
The error handling of the shell interpreters are deferent, so you can't trust
on that.
> @Alina: Do you have reason to believe this isn't bug? If yes, why.
Whats isn't a bug? It's a design error. You can't implement a shell
interpreter, that is compatible with the current syntax and don't have the
Problem, that you can inject a expression with the value argument. It's like
strcpy() in C.
Regards
Alina
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] "-n" comparison not working in Busybox 1.13.4
> I too still fail to see what's the actual problem. The test utility does > exactly what it's supposed to do. > in this case [ -z "=" ] shouldn't result in ./test.sh: line 6: [: too many arguments apart from this bug? I still see no problem .. bud ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] "-n" comparison not working in Busybox 1.13.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi. I too still fail to see what's the actual problem. The test utility does exactly what it's supposed to do. Of course if you're using a poor method to parse the query string and then pass the bits unchecked to "test" it could result in some weird side effects. I was once bitten by that, we spend hours to find a resonable secure approach to parse a query strings with bash, only to find later that it was easy to circumvent by settings "IFS" via the url. So we extended the function to skip IFS, only to see that ...&I\FS=... works too... d'oh. Conclusion: Use a better tool (tm) for the job, always prefix vars to avoid the possibility to pollute you current namespace, perform careful input checking. ~ JoW -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpjbPMACgkQdputYINPTPPWHACgm4lcahXSHiFxPqFk26iioDpG TvcAoJtZEYo/fIUv4Mw644uAmfUtGbU5 =qi21 -END PGP SIGNATURE- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] "-n" comparison not working in Busybox 1.13.4
Hi! > That example is more of an example of unsanitized input and improper error > checking. While it is a common broblem with shell, I don't see how it > relates to the claim made earlier. Is there a better example the doesn't > rely on the user providing unchecked input? Maybe that example would make > it > clear to me. The Problem is that the test utility is a elementary function to check the user input. If you don't can rely on it, this is still a problem. To write secure shell code is much harder then C code, but at least I try to do my best. Most unfortunately don't. Regard Alina ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] "-n" comparison not working in Busybox 1.13.4
well I doublechecked it .. and while you are right on the checked input, I am
sure that
if [ -z "=" ] ...
shouldn't throw an error .. I also tried simple quotes (')
On the other hand, you are right no security issue. Because the right way to
authenticate of course would be..
if [ ! -z "$do_login" -a "$user" == 'foo' -a "$password" == 'bar' ]; then
echo login success
else
echo login failed
fi
and this wouldn't be flawed by the error. I am still not sure, if this is meant
to be.
@Alina: Do you have reason to believe this isn't bug? If yes, why.
... bud
#
Warren Turkal wrote:
> That example is more of an example of unsanitized input and improper error
> checking. While it is a common broblem with shell, I don't see how it
> relates to the claim made earlier. Is there a better example the doesn't
> rely on the user providing unchecked input? Maybe that example would make it
> clear to me.
>
> Warren Turkal
> Linux Enthusiast and Libre Software Advocate
>
> On Jul 19, 2009 7:09 AM, "Alina Friedrichsen" wrote:
>
> Hi!
>
>> Could you quote an example or deliver an exploit?
> A example for the BASH:
>
> if [ -z "$do_login" -o "$user" != 'foo' -o "$password" != 'bar' ]; then
>echo login faild
> else
>echo login success
> fi
>
> Normal:
> http://[...]/[...]?do_login=1&user=foo&password=unknown
> Output:
> login faild
>
> Exploit:
> http://[...]/[...]?do_login==&user=foo&password=unknown
> Output:
> bash: [: too many arguments
> login success
>
> Regards Alina ___ openwrt-devel
> mailing list openwrt-de...
>
>
>
>
>
> ___
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] "-n" comparison not working in Busybox 1.13.4
That example is more of an example of unsanitized input and improper error checking. While it is a common broblem with shell, I don't see how it relates to the claim made earlier. Is there a better example the doesn't rely on the user providing unchecked input? Maybe that example would make it clear to me. Warren Turkal Linux Enthusiast and Libre Software Advocate On Jul 19, 2009 7:09 AM, "Alina Friedrichsen" wrote: Hi! > Could you quote an example or deliver an exploit? A example for the BASH: if [ -z "$do_login" -o "$user" != 'foo' -o "$password" != 'bar' ]; then echo login faild else echo login success fi Normal: http://[...]/[...]?do_login=1&user=foo&password=unknown Output: login faild Exploit: http://[...]/[...]?do_login==&user=foo&password=unknown Output: bash: [: too many arguments login success Regards Alina ___ openwrt-devel mailing list openwrt-de... ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] "-n" comparison not working in Busybox 1.13.4
Hi! > Could you quote an example or deliver an exploit? A example for the BASH: if [ -z "$do_login" -o "$user" != 'foo' -o "$password" != 'bar' ]; then echo login faild else echo login success fi Normal: http://[...]/[...]?do_login=1&user=foo&password=unknown Output: login faild Exploit: http://[...]/[...]?do_login==&user=foo&password=unknown Output: bash: [: too many arguments login success Regards Alina ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] etherwake configuration, not working on eth0
On Sunday 19 July 2009 14:22:38 Matthias Buecher / Germany wrote: > On 19.07.2009 13:52, Malte S. Stretz wrote: > > On Sunday 19 July 2009 13:27:47 Matthias Buecher / Germany wrote: > >> [...] > > > > And even if eth0 is bridged, etherwake should work on the base device > > eth0 as well if I'm not mistaken. > > > > Anyway, if it doesn't work for you, I guess the best way to handle this > > is by doing something like this in the scripts which use etherwake: > > > > . /etc/functions.sh > > include /lib/network > > DEFAULT_IFACE=lan > > scan_interfaces > > config_get iface $DEFAULT_IFACE ifname > > etherwake -i $iface "$@" > > > > The $DEFAULT_IFACE could be made configurable. > > For my private script I currently use the following code, which works > great. As I'm the only user of the script, a simple env var is good enough. > [...] Try the attached script :) Cheers, Malte -- uciwol Description: application/shellscript ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] etherwake configuration, not working on eth0
On 19.07.2009 13:52, Malte S. Stretz wrote:
> On Sunday 19 July 2009 13:27:47 Matthias Buecher / Germany wrote:
>> [...]
> And even if eth0 is bridged, etherwake should work on the base device eth0 as
> well if I'm not mistaken.
>
> Anyway, if it doesn't work for you, I guess the best way to handle this is by
> doing something like this in the scripts which use etherwake:
>
> . /etc/functions.sh
> include /lib/network
> DEFAULT_IFACE=lan
> scan_interfaces
> config_get iface $DEFAULT_IFACE ifname
> etherwake -i $iface "$@"
>
> The $DEFAULT_IFACE could be made configurable.
For my private script I currently use the following code, which works
great. As I'm the only user of the script, a simple env var is good enough.
EWIF='br-lan'
# find program
FOUND=0
for EWCMD in 'ether-wake' 'etherwake' 'wol'
do
[ -z "`which ${EWCMD}`" ] && continue
FOUND=1
break
done
# exit if not found
if [ ${FOUND} -eq 0 ]
then
echo "No etherwake program available (use opkg install etherwake)"
exit 1
fi
# issue program
echo 'Waking up PC, please wait...'
echo "...using ${EWCMD}${EWIF:+ -i ${EWIF}} ${EWMAC}"
${EWCMD}${EWIF:+ -i ${EWIF}} ${EWMAC}
RC=$?
if [ ${RC} -ne 0 ]
then
echo "${EWCMD} returned error code ${RC}"
exit 1
fi
Maddes
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] etherwake configuration, not working on eth0
On Sunday 19 July 2009 13:27:47 Matthias Buecher / Germany wrote: >[...] > I'm done creating the patches for etherwake and busybox's ether-wake to > use br-lan as a default. > But can somebody confirm that br-lan is also a working interface for > other devices or Kamikaze 8.09 in general? Kamikaze sets up the lan interface as a bridge per default, so your patch should work. But it will probably break as soon as somebody changes the interface config. And even if eth0 is bridged, etherwake should work on the base device eth0 as well if I'm not mistaken. Anyway, if it doesn't work for you, I guess the best way to handle this is by doing something like this in the scripts which use etherwake: . /etc/functions.sh include /lib/network DEFAULT_IFACE=lan scan_interfaces config_get iface $DEFAULT_IFACE ifname etherwake -i $iface "$@" The $DEFAULT_IFACE could be made configurable. Cheers, Malte -- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] etherwake configuration, not working on eth0
Matthias "Maddes" Bücher http://www.maddes.net/ Home: Earth / Germany / Ruhr-Area On 18.07.2009 21:33, Matthias Buecher / Germany wrote: > Hi everybody, > > I just found out that etherwake and busybox's ether-wake are not working > with the default interface "eth0", but with "br-lan". > This is on a WRT350Nv2 with Marvell Orion CPU. > > Now my questions: > #1 > Is this a WRT350Nv2 / Marvell Orion specific issue? > Or is "br-lan" the right interface for all builds of Kamikaze 8.09 to > broadcast magic packets? > > #2 > If "br-lan" is the way to go, can the default interface be changed by a > configuration variable (didn't see any)? > Otherwise will create some patches to solve it. I'm done creating the patches for etherwake and busybox's ether-wake to use br-lan as a default. But can somebody confirm that br-lan is also a working interface for other devices or Kamikaze 8.09 in general? #3 Also send a patch to the X-Wrt developers to support interfaces on their WoL page in their web front-end for OpenWrt. Maddes ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] "-n" comparison not working in Busybox 1.13.4
Could you quote an example or deliver an exploit?
thanks bud
> Hi!
>
>> The correct syntax is [ -n "${var}" ] (notice the quotes).
>> Thanks to Vasilis.
>
> A security notice:
> Don't use more then one expression in one test call.
> Use instant two test calls:
>
> if [ -z "$x" ] && [ -z "$y" ]; then
> echo x and y are empty
> fi
>
> if [ -z "$x" ] || [ -z "$y" ]; then
> echo x or y is empty
> fi
>
> If more then one expression is done with test the comparison is exploitable.
> It's a design error of the UNIX shell and can't be fixed.
>
> Regards
> Alina
> ___
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] "-n" comparison not working in Busybox 1.13.4
Hi!
> The correct syntax is [ -n "${var}" ] (notice the quotes).
> Thanks to Vasilis.
A security notice:
Don't use more then one expression in one test call.
Use instant two test calls:
if [ -z "$x" ] && [ -z "$y" ]; then
echo x and y are empty
fi
if [ -z "$x" ] || [ -z "$y" ]; then
echo x or y is empty
fi
If more then one expression is done with test the comparison is exploitable.
It's a design error of the UNIX shell and can't be fixed.
Regards
Alina
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
