From mboxrd@z Thu Jan  1 00:00:00 1970
From: valentin.haenel at gmx.de (Valentin Haenel)
Date: Mon, 29 Oct 2012 10:43:47 +0100
Subject: [PATCHv2 2/3] Add ability to authorize viewing a repository
In-Reply-To: <CAHmME9q2nuyEbTL9tueV+dg9+m+W4DtOQ-i3=zzzfs2384hKKQ@mail.gmail.com>
References: <1350378927-10834-1-git-send-email-valentin.haenel@gmx.de>
 <1350894558-24840-2-git-send-email-valentin.haenel@gmx.de>
 <k6i03d$mp0$3@ger.gmane.org>
 <CAHmME9q2nuyEbTL9tueV+dg9+m+W4DtOQ-i3=zzzfs2384hKKQ@mail.gmail.com>
Message-ID: <20121029094346.GD17370@kudu.in-berlin.de>

* Jason A. Donenfeld <Jason at zx2c4.com> [2012-10-28]:
> On Sat, Oct 27, 2012 at 7:00 PM, Ben Boeckel <mathstuf at gmail.com> wrote:
> > Single quote the arguments to the executable. This is ripe for code
> > execution (remote_user is under attacker's control).
> 
> Was going to mention this myself, but you beat me too it. Dead on.
> Correctamundo.
> 
> Please double double tripe triple check your code before submitting things.

I added the single quotes as suggested. When I looked at the code
initially, I was reasoning that the remote_user is set by the
authentication part, in our case this is Apache, which in turn asks
LDAP. Furthermore, Apache sets the remote_user and forward to cgit only
if the user is actually a valid user. So my assumption was, that
remote_user is not under the attackers control.

I guess I need some more help to understand why I am mistaken about
this. Is it the case that the assumption fails, if an attacker can
inject something into LDAP he may be able to pass through apache
successfully and then have his exploit, which is in remote_user, be
executed on the machine which is running cgit?

V-