[Cc: ro...@sf..., ro...@cv..., because I can't find an e-mail address
@sf.net to which I should report this.]
Folks:
I experimented a bit and confirmed that with current HEAD version of syncmail it
is indeed possible to invoke arbitrary shell commands like this:
$ mkdir test\"\;eval
$ touch test\"\;eval\ /whoami\;\"echo\
$ cvs add test\"\;eval\ /whoami\;\"echo\
$ cvs commit -m " Don't look -- it's too awful."
I was able to run "whoami" on cvs.pyutil.sourceforge.net as user `zooko',
despite the fact that the `zooko' account on that machine is a restricted shell
which is disallowed from all actions other than invoking cvs.
Here is a patch appended, named "Patch 3", which fixes this hole. You should
also consider the prophylactic clean-up patch, "Patch 1":
[1] http://sourceforge.net/mailarchive/forum.php?thread_id=561598&forum_id=8207
If you apply Patch 2:
[2] http://sourceforge.net/mailarchive/forum.php?thread_id=561512&forum_id=8207
then it supercedes the appended Patch 3 (but you should still apply Patch 1).
Please let me know if I should use patch manager for this. Feel free to give me
cvs write access (account name: zooko) if you want me to commit these myself.
Regards,
Zooko
---
zooko.com
Security and Distributed Systems Engineering
---
[3] Patch 3:
Index: syncmail
===================================================================
RCS file: /cvsroot/pyutil/CVSROOT/syncmail,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- syncmail 27 Mar 2002 11:28:01 -0000 1.3
+++ syncmail 27 Mar 2002 11:59:44 -0000 1.4
@@ -68,7 +68,7 @@
import getopt
# Notification command
-MAILCMD = '/bin/mail -s "CVS: %(SUBJECT)s" %(PEOPLE)s 2>&1 > /dev/null'
+MAILCMD = "/bin/mail -s 'CVS: %(SUBJECT)s' %(PEOPLE)s 2>&1 > /dev/null"
# Diff trimming stuff
DIFF_HEAD_LINES = 20
@@ -191,7 +191,7 @@
# $CVSROOT, followed by the list of files that are changing.
if not args:
usage(1, 'No CVS module specified')
- SUBJECT = args[0]
+ SUBJECT = string.replace(args[0], "'", '"')
specs = string.split(args[0])
del args[0]
|
