Hi,
On Sun, Jan 23, 2005 at 08:28:47PM -0500, Justin Pryzby wrote:
> On Sun, Jan 23, 2005 at 05:42:04PM -0500, pryzbyj wrote:
> > tags 281655 patch
> > thanks
> >
> > I've included a 2-line patch which implements some output
> > sanitization. I can't find any other instance where this is a
> > problem, but don't take my word for it; I haven't followed the code
> > *that* closely.
> >
> > Since info filenames/titles can be named anything (which is a Good
> > Thing), the way to handle this is to escape '<' (and '>' while we're
> > at it). This prevents anyone from sticking any html anywhere.
> >
> > I would also like to see this code use perl -T (for testing, as well
> > as for installation, I think). I will probably play with this later
> > tonight.
> >
> > I've never used perl -T before and it may very well break this program
> > horribly.
> It broke it, but not horribly. The only complain (check apache's
> error log) is about $ENV{'PATH'}. The Debian fix is to just set
> $ENV{'PATH'}="/bin:/usr/bin" (or even just leave it untouched, maybe).
>
> So, in addition to the previous patch, I suggest that the script runs
> with #!/usr/bin/perl -T, and that the ENV variable is either set
> absolutely, or not changed at all.
Thanks Justin for all the help and patches.
I implemented most of your suggestions and some additional ones in a new
patch (attached to this mail).
Unfortunately, I don't think escaping '<' and '>' will suffice. IIRC
there exist XSS exploits which don't use special characters at all, so
it's quite hard to filter...
But IMHO what we have now is a first good step. I'm CC'ing the security
team (this was long overdue), maybe they have some more suggestions.
If noone objects I'll upload a new info2www package with the attached
patch to unstable. The security announce and uploads to stable will be
handled by the security team, right?
Thanks, Uwe.
--
Uwe Hermann <[EMAIL PROTECTED]>
http://www.hermann-uwe.de | http://www.crazy-hacks.org
http://www.it-services-uh.de | http://www.phpmeat.org
http://www.unmaintained-free-software.org | http://www.holsham-traders.de
--- info2www 2005-01-30 21:06:37.000000000 +0100
+++ info2www.new 2005-01-31 05:02:03.000000000 +0100
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/perl -T
#
# info2www - Gateway between GNU Info nodes and WWW
$id = '$Id: info2www,v 1.2.2.9 1996/07/02 08:44:12 lmdrsm Exp $ ';
@@ -82,8 +82,11 @@
# Set the PATH so that the ZCAT and GZCAT programs can be found
#
-$ENV{'PATH'} =~ s!:$!!;
-$ENV{'PATH'} .= ":/bin:/usr/bin";
+#$ENV{'PATH'} =~ s!:$!!;
+#$ENV{'PATH'} .= ":/bin:/usr/bin";
+
+# Security: Hardcoded paths, so malicious tampering with PATH is not possible.
+$ENV{'PATH'} = "/bin:/usr/bin";
#
# ZCAT is the program to use for reading compressed files (*.Z)
@@ -1138,6 +1141,15 @@
# Print an HTML error message
sub Error {
local($reason) = @_;
+
+ # Security checks to prevent at least _some_ forms of XSS attacks.
+ # TODO: This is far from complete, more checks need to be done!
+ $reason =~ s/</</gs;
+ $reason =~ s/>/>/gs;
+ $reason =~ s/&/&/gs;
+ $reason =~ s/"/"/gs;
+ $reason =~ s/#//gs;
+
print "<STRONG>Sorry! - $reason</STRONG>\n<P>\n";
return(0);
}
