Hello Chicken users, It was discovered that the "qs" procedure from the "utils" module performs incomplete escaping. On Windows (mingw32), this procedure quoted the string but did not escape embedded quote characters. On Unix, this procedure did not escape the pipe character. On both systems, the procedure simply copied NULL characters in the input string to the output string. This last detail is less important, because all procedures which pass the string to the shell contain a check for NUL bytes.
Furthermore, this procedure relied on a blacklist of "special" shell characters, which is considered bad practice as it is too easy to forget a character and some shells have different rules as to which characters are special. What all this means in practice is that an attacker-supplied filename or any other program argument can lead to arbitrary shell code execution through OS command injection, which is exactly what qs intends to prevent. This bug is present in all versions of CHICKEN prior to revision 58684f69572453acc6fed7326fa9df39be98760e, in which it was fixed by switching to a whitelist approach on Unix and escaping quotes on Windows. CHICKEN 4.9.0 will include this fix. The best workaround for this problem for older Chicken versions is to avoid calling out to the shell. Instead, you can rely on the PROCESS-EXECUTE procedure from the posix module, or use the safe multi-argument version of the PROCESS[*] procedures, also from the posix module. If you require the shell's easy pipeline and redirection capabilities, you can use the scsh-process egg which uses PROCESS-EXECUTE under the hood. You can also update to master 58684f69572453acc6fed7326fa9df39be98760e or apply the patch at http://lists.nongnu.org/archive/html/chicken-hackers/2013-04/msg00060.html Many thanks to Florian Zumbiehl for pointing out the problem and providing the initial patch. Kind regards, The CHICKEN Team _______________________________________________ Chicken-users mailing list Chicken-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/chicken-users