From mboxrd@z Thu Jan  1 00:00:00 1970
MIME-Version: 1.0
In-Reply-To: <CC7DC1E3-61D3-4C10-B0CE-CD1DA60BA75A@ar.aichi-u.ac.jp>
References: <ab43d3eb17651d3835a63b7bfb3d39e5@hamnavoe.com>
	<CC7DC1E3-61D3-4C10-B0CE-CD1DA60BA75A@ar.aichi-u.ac.jp>
Date: Mon, 29 Sep 2014 14:20:46 +0100
Message-ID: <CAOw7k5j6rSYAqpNvKZRB90AbemJMvRtr3swhjOx1WxTEk4j0JQ@mail.gmail.com>
From: Charles Forsyth <charles.forsyth@gmail.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Content-Type: multipart/alternative; boundary=047d7b33d90871bde30504342242
Subject: Re: [9fans] shell functions
Topicbox-Message-UUID: 17e87490-ead9-11e9-9d60-3106f5b1d025

--047d7b33d90871bde30504342242
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 29 September 2014 14:03, arisawa <arisawa@ar.aichi-u.ac.jp> wrote:

> today, we have a number of malicious request to our web server.
> assume a web server accept a request with a query
>         query=3D'fn#foo=3Dfn%20foo%20{echo%20yes};%20echo%20no%0a=E2=80=
=99
>

but why should a web server put arbitrary data from a remote user
unrestrained into the environment?
even if rc used a restricted parser, as it stands you could still write
fn#cd=3Dfn%20cd%20{do_horrible_thing}
and it would stand a good chance of doing the horrible thing if the web
server runs a shell script that does a cd.

really, as with Apache, the problem is the uncritical nature of the web
server.

it's probably reasonable to have rc use a parser that accepts only
functions, but that's for precision, not to fix a security problem
elsewhere.

--047d7b33d90871bde30504342242
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">=
On 29 September 2014 14:03, arisawa <span dir=3D"ltr">&lt;<a href=3D"mailto=
:arisawa@ar.aichi-u.ac.jp" target=3D"_blank">arisawa@ar.aichi-u.ac.jp</a>&g=
t;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0=
 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div id=3D":2w0" class=
=3D"a3s" style=3D"overflow:hidden">today, we have a number of malicious req=
uest to our web server.<br>
assume a web server accept a request with a query<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 query=3D&#39;fn#foo=3Dfn%20foo%20{echo%20yes};%=
20echo%20no%0a=E2=80=99</div></blockquote></div><br>but why should a web se=
rver put arbitrary data from a remote user unrestrained into the environmen=
t?</div><div class=3D"gmail_extra">even if rc used a restricted parser, as =
it stands you could still write fn#cd=3Dfn%20cd%20{do_horrible_thing}</div>=
<div class=3D"gmail_extra">and it would stand a good chance of doing the ho=
rrible thing if the web server runs a shell script that does a cd.</div><di=
v class=3D"gmail_extra"><br></div><div class=3D"gmail_extra">really, as wit=
h Apache, the problem is the uncritical nature of the web server.</div><div=
 class=3D"gmail_extra"><br></div><div class=3D"gmail_extra">it&#39;s probab=
ly reasonable to have rc use a parser that accepts only functions, but that=
&#39;s for precision, not to fix a security problem elsewhere.</div><div cl=
ass=3D"gmail_extra"><br></div></div>

--047d7b33d90871bde30504342242--