From mboxrd@z Thu Jan  1 00:00:00 1970
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: arisawa <arisawa@ar.aichi-u.ac.jp>
In-Reply-To: <ab43d3eb17651d3835a63b7bfb3d39e5@hamnavoe.com>
Date: Mon, 29 Sep 2014 22:03:15 +0900
Content-Transfer-Encoding: quoted-printable
Message-Id: <CC7DC1E3-61D3-4C10-B0CE-CD1DA60BA75A@ar.aichi-u.ac.jp>
References: <ab43d3eb17651d3835a63b7bfb3d39e5@hamnavoe.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Subject: Re: [9fans] shell functions
Topicbox-Message-UUID: 17770026-ead9-11e9-9d60-3106f5b1d025

Hi, Richard,

Problems comes from careless CGI handling.

keep the following result in mind=20
term% 'fn#foo'=3D'fn foo {echo yes}; echo no
	'
term% rc
no
term%

today, we have a number of malicious request to our web server.
assume a web server accept a request with a query
	query=3D'fn#foo=3Dfn%20foo%20{echo%20yes};%20echo%20no%0a=E2=80=99=

if the query is processed as follows: (the explanation is only for demo)
term% query=3D'fn#foo=3Dfn%20foo%20{echo%20yes};%20echo%20no%0a'
term% echo $query
fn#foo=3Dfn%20foo%20{echo%20yes};%20echo%20no%0a
term% ifs=3D'=3D' a=3D`{echo -n $query}
term% b=3D`{echo -n $a(2) | sed 's/%20/ /g; s/%0a/\n/g'}
term% echo -n $b
fn foo {echo yes}; echo no

term% $a(1)=3D$b
term% rc
no
term%

we can avoid such attacks by putting a prefix (say =E2=80=98QS_' as =
Pegasus does) at the last stage.
	QS_$a(1)=3D$b

assume the input field is =E2=80=9Cname=E2=80=9D, then some people =
believe $a(1) is =E2=80=9Cname=E2=80=9D, and may carelessly=20
execute for simplicity
	$a(1)=3D$b
and such CGI will work for almost all cases (because they are not =
malicious).

even if extra command in
	fn foo {=E2=80=A6}; maliciouscommand
is removed in starting rc, careless handling makes problem.
however it is much different in dangerousness between some environment =
variable are destroyed
and arbitrary commands can be executed.=20

Kenji Arisawa

2014/09/28 18:39=E3=80=81Richard Miller <9fans@hamnavoe.com> =
=E3=81=AE=E3=83=A1=E3=83=BC=E3=83=AB=EF=BC=9A

>> when rc is invoked, rc reconstructs shell variable and shell =
functions using files in /env/.
>> in case of shell functions, rc evaluates whole data in the file.
>> this feature makes problem if the content is
>> 	fn foo {=E2=80=A6}; maliciouscommand
>=20
> How would a malicious agent put something into /env?  If it's =
possible,
> how is this different from putting something into $home/bin/rc or
> binding something into /rc/bin ?
>=20
>=20