On Tue, 5 Feb 2002, Elmar Hoffmann wrote:
> Dancer calls external commands via the Execute() function, which uses
> popen() and thus is vulnerable to attacks using shell special chars.
> A comment in the source suggests to use quoting to protect against
> malicious user input and functions like CmdCalc() do this using ",
> but that does not protect against all attacks.
> For example a command like
> calc $(touch test)
> is not caught and does create a file named test in the bots current
> As a *quick workaround*, I just committed a patch to transfer.c that
> activates further tests for special shell chars that were commented
> out before and adds a check for '$'.
> This only makes Execute() a bit more secure, while quoting with '
> instead of " and filtering more special chars probably help further,
> IMO an actual solution that involves getting rid of popen() should
> be found.
> Till someone does this, users should be warned and urged to activate
> execprotect (maybe a note on the website?).
First off it has been known from the beginning that executing programs is
a very bad idea from within a bot, secondly the default setting is off.
Maube a note in the manual can rectify this omission.
It is only the bot owner that can turn on execprotect on anyway, and he
should be aware of the implications of doing so.
If one really really wants to run a secure bot, it should not be on the
Elevation of shells commands should also only be available to trusted
with all this said maybe a string escape function needs to be implemented
to escape all shell characters thereby effectively preventing the commands
to be of any harm.
However this is also not an easy task to perform, since some characters
actually make sense to pass to programs unescaped in one context and not
Perhaps the safest approach is to check the command arg string against a
list of approved characters and deny execution if a non-match is found ?
btw: how many developers are actually reading this list ? :-)
more over how many are actually working on dancer these days
darth@... | Babel: Internet Cafe
vader@... | Noerrebrogade 211
Chris Larsen | Copenhagen
System Manager |
PGP-key id: 0x137993A5