From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_ADSP_CUSTOM_MED,
	DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI,
	T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 18036 invoked from network); 1 Aug 2023 12:31:52 -0000
Received: from minnie.tuhs.org (50.116.15.146)
  by inbox.vuxu.org with ESMTPUTF8; 1 Aug 2023 12:31:52 -0000
Received: from minnie.tuhs.org (localhost [IPv6:::1])
	by minnie.tuhs.org (Postfix) with ESMTP id 3DB9940FE3;
	Tue,  1 Aug 2023 22:31:48 +1000 (AEST)
Received: from mail-oa1-x2c.google.com (mail-oa1-x2c.google.com [IPv6:2001:4860:4864:20::2c])
	by minnie.tuhs.org (Postfix) with ESMTPS id E594140FE2
	for <tuhs@tuhs.org>; Tue,  1 Aug 2023 22:31:42 +1000 (AEST)
Received: by mail-oa1-x2c.google.com with SMTP id 586e51a60fabf-1bbaa549c82so4270252fac.0
        for <tuhs@tuhs.org>; Tue, 01 Aug 2023 05:31:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1690893102; x=1691497902;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=97a20oCzbG7XkN8GpAmYdq/n2r/cjXOmVEccRaolVXQ=;
        b=Rp5w9uZRLY1Se4Lvbt/vyGrR3UbyzKhlajp1Sa8zHJR3QU1IMyak1xXkb0aTnvbV6K
         0c52JZKS8ImoIpS974TssMiz0XEx5wwbugjFuG/wT0YZWgTq1ypnx6awVbrK3E2GkDp+
         aPM1Y0feFcD89jl9pzf5UfvtV2xBgBKPzyP1/MQiA2sm+tFXHJYCc/CWL91yIuYsmfV/
         KtLA+Q1r5bogYr0pFwP3vkpMUaA8AL5BzdvmyWffg2kp8BWa2/n2uGcYbd9EUuLWMX29
         aeaEoutKVVJ0njrr063SNhl5MkcrJ/v1aItFQaRkPMirwIRQpXaSrnbauveD5bDasrty
         vkUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1690893102; x=1691497902;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=97a20oCzbG7XkN8GpAmYdq/n2r/cjXOmVEccRaolVXQ=;
        b=fZ5AzeTVdE1TFNn7SWSKCPRj+m2CPqbQptGO+pHjrBDkLcHYeJHmx29sYZRWbP4wYY
         Y76G8Ag0zIlR1k7oKoKrHTS+KUhiX2GVH9kc5aLl5veTZsGtCTc9swyuBsHFNbrBfkJH
         mKbpSewl73iDJ8OWBvPA2LsKvytL+VVsHYsiT/Pqea+99/C4AZl6UKrK0aZ5wqmyGhIb
         Ch+4SWFqjyHXiEIj1QKSSDXGrQLTpCnCER61tGgZR9LI6M1h3g2svxm3gleeytKBOTni
         RqHMQ3OVLNWslgOsFnt2zTC50FL5KAgtI6ONFNIbJPX41xbSP0ohGPfH9iwiJ2lVJss0
         JKzA==
X-Gm-Message-State: ABy/qLZFIybb711McBzVBZ8aRQNZWeQ9TxMejDOgtqYjxhbU57rY5NV6
	dE9Vch3ZMUB4qk5kqWc8URMhLbX3jzw=
X-Google-Smtp-Source: APBJJlHWg/L2wynmCXa+vP8tX8ThOBzgIT4fTlqCg6NNTiCGWwFlZezFq0Wpz/1D6B53dg7dTxVb+w==
X-Received: by 2002:a05:6871:99:b0:1a5:4e57:e5d1 with SMTP id u25-20020a056871009900b001a54e57e5d1mr13364857oaa.49.1690893101669;
        Tue, 01 Aug 2023 05:31:41 -0700 (PDT)
Received: from illithid (ip68-12-97-90.ok.ok.cox.net. [68.12.97.90])
        by smtp.gmail.com with ESMTPSA id r6-20020a056870878600b001bb51450d85sm5529137oam.4.2023.08.01.05.31.41
        for <tuhs@tuhs.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 01 Aug 2023 05:31:41 -0700 (PDT)
Date: Tue, 1 Aug 2023 07:31:39 -0500
From: "G. Branden Robinson" <g.branden.robinson@gmail.com>
To: The Eunuchs Hysterical Society <tuhs@tuhs.org>
Message-ID: <20230801123139.6splbkt4n7c75wu7@illithid>
References: <CAP6exYJZv=tThsACn3sRvV0HXRYG_GLuUtWkxVk_n5XhuN1UpA@mail.gmail.com>
 <87zg3b3sc0.fsf@vuxu.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="i4ksbgxdduud6vfs"
Content-Disposition: inline
In-Reply-To: <87zg3b3sc0.fsf@vuxu.org>
Message-ID-Hash: 7MPPPXZT3JVI5Y273VMZS2GUSLXBGIZ4
X-Message-ID-Hash: 7MPPPXZT3JVI5Y273VMZS2GUSLXBGIZ4
X-MailFrom: g.branden.robinson@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.6b1
Precedence: list
Subject: [TUHS] Re: shell escapes in utilities
List-Id: The Unix Heritage Society mailing list <tuhs.tuhs.org>
Archived-At: <https://www.tuhs.org/mailman3/hyperkitty/list/tuhs@tuhs.org/message/7MPPPXZT3JVI5Y273VMZS2GUSLXBGIZ4/>
List-Archive: <https://www.tuhs.org/mailman3/hyperkitty/list/tuhs@tuhs.org/>
List-Help: <mailto:tuhs-request@tuhs.org?subject=help>
List-Owner: <mailto:tuhs-owner@tuhs.org>
List-Post: <mailto:tuhs@tuhs.org>
List-Subscribe: <mailto:tuhs-join@tuhs.org>
List-Unsubscribe: <mailto:tuhs-leave@tuhs.org>


--i4ksbgxdduud6vfs
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

At 2023-08-01T13:38:55+0200, Leah Neukirchen wrote:
> > I got to wondering, based on the sendmail discussions, how many
> > shell escapes have appeared over the years?
> >
> > uucp
> > sendmail
> > xdvi : "The "allowShell" option enables the shell escape in PostScript =
specials"
>=20
> From the top of my head, where it can be disabled:
>=20
> ghostscript (see above)
> tex (write18)
> ed/ex/vi
> nethack

And the *roffs of course.  nroff/troff/groff, with the `sy` (system(3))
and `pi` (popen(3)) requests.  pic(1) as well ("sh").

groff has, since version 1.12 in 1999, disabled these features by
default; the '-U' ("unsafe") command-line option re=EBnables them.  It
added some additional unsafe requests for arbitrary stream I/O, `open`,
`opena` (open with append), and `pso` (`so` for pipeline output).

I recently learned of a limitation in the way AT&T and GNU *roffs, at
least, construct the string `sy` passes passes to system(3), which makes
certain things impossible.  Unfortunately it forecloses useful
applications, not any particularly malicious ones.

    There is a problem with trying to embed true newlines into the
    arguments of a `sy` request.  The C++ function that GNU troff uses
    to assemble the command string (character by character) _does not
    recognize C/C++ string literal escape sequences_.  This means that
    you _cannot_ embed "\n" in `sy`'s arguments and have it survive, as
    a newline character, into the command string passed to the standard
    C library's system(3) function.  ("A\nB" gets encoded as 'A', '\\',
    'n', 'B', not 'A', '\n', 'B'.) Unfortunately, this appears to be
    AT&T troff-compatible behavior.  But it means that you _cannot_
    portably construct multi-line replacement text for sed's 's'
    command.  (Other sed commands like 'a', 'c', and 'i' will be
    similarly affected.)  See Savannah #64071.

AT&T troff obviously wasn't written in C++, so this would appear to be
an instance of independent oversight.  (Where James Clark had gripes
about AT&T troff behavior, he left them in source code comments.)

I aim to fix this.  If I can write an arbitrary shell command, then I
darn well ought to be able to embed an arbitrary sed script in that
shell command (without needing a GNU sed extension to embed newlines).

Regards,
Branden

--i4ksbgxdduud6vfs
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEh3PWHWjjDgcrENwa0Z6cfXEmbc4FAmTI+yQACgkQ0Z6cfXEm
bc7LcQ/8CFEIpJv+KFfJwtOzUDHNU8WbwR8eWhQjxZ7uu95C70QoCnrupy8/B/b9
tScLnP43agb7s2nRkppd9pl5QlcP45Navo+zeRdbteCUNpXueIedMjnrW4qBkFQK
bPf67xwaZtrJ7HqsQckS/it3SsAdkGJW94IUPNtG6PyQBP0jTviSPz8C0J0uVpGv
9IliXAFCD/CtF99wgfj/VWIO5sVjAUcbIvcS58HzEFALxYqp6uzxSqaUNybjGvzJ
Kihe1ELt69M20+wt6zOPUaxuR0wjpcEQ7OykbJRXrtrdJu18ejOfCG6vWXsFeDmG
i+K8H+ayu68AKlZJynRXImwbqqGcG+rotFBdoJ5aCS+B2ZLpb4v1cKYL52AWtaNF
Iu410ZgY0cMXz6MXaDGcRM7aqfce/oNrIpDlpDuY+EePG5zkxUjrDpR3vcTwg6Vx
ARaL1jssc7sqRs+6XIJeVu55MG4VFr7KABCRPmN0mgoZE19pdWtHcseinSagXf40
aRNrRpMpkK7491Xvs/VgeDlIQJnhn9kUB4LBKJSHem9Cwwai0B21dPq8Pm95cNIz
WfnNRAxhvT30EDbDIJRpuUM9XIJm1If/16SDYVBZscfWlNlgLstNIFnNQC0OiPl6
qPsZCp2Mdw66PJB/LjVbZve9vRniiTzuGZfq2kR82npeA1h5oW4=
=oylZ
-----END PGP SIGNATURE-----

--i4ksbgxdduud6vfs--