httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <ako...@organic.com>
Subject Re: Bug?
Date Mon, 29 Jul 1996 14:30:54 GMT
On Mon, 29 Jul 1996, Ben Laurie wrote:

> > > Because its easier. argv[1] is shorter than getenv("QUERY_STRING") and a pile
> > > of stuff to parse it. It also means that I can test the CGIs more easily. OK,
> > > so I'm being lazy, but isn't that what software is for?
> > 
> > So write more software. Don't break existing software.
> 
> I had no intention of breaking existing software. Its just that I thought this
> behaviour was introduced by the spurious security hole patch.

No. This behavior has been in the both the CERN and NCSA servers since
the dawn of time. Well, 1993 at least.

> > You're probably right. In fact, I know you're right. That's exactly why
> > the behavior *has* to stay the way it is. Because it's defined that way.
> > If you take a look at the original CGI spec, on either NCSA or CERN's
> > sites (probably David Robinson's internet draft, too), you'll see that
> > argv is defined as being shell-escaped arguments.
> 
> I've just checked (at NCSA, CERN points me to W3 which is currently buggered),
> and the spec reveals why there's nothing passed on the command line when
> there's an '=' in the query (that is, it says "when there's an '=' in the
> query don't pass anything on the command line". This is perverse in my view,
> but that is what it says). However, as far as I can see, it says nothing about

It was supposed to stop people from using the command line with forms,
which use = in the query string.

> escaping. In fact it hardly says anything about anything. It could be that it
> was "improved" during the transition to a groovy HTML-ized document. Do you
> know where the original flat text version is?

Yeah, the CGI specs (both of 'em) do say very little. However, you can
look at a "real" specification (albiet one written after the fact, based
on the behaviors of the servers) at
http://www.ics.uci.edu/pub/ietf/http/related/draft-robinson-www-interface-01.txt,
which says, and I quote: "The words are have any characters which are
`active' in the Bourne shell escaped with a backslash."

The reason for this is pretty simple if you look at the example scripts
that NCSA and CERN ship with. For example, the "finger" script which
basically amounts to (once you take out some HTML):

#!/bin/sh

finger "$*"

The point here being that this script and others like it pass these
arguments directly on to the shell; sometimes protected by quotes as this
one is, but often-times not. What this means is that if the characters are
not escaped, you end up with a security problem. A pretty big one.

One, in fact, that we're *still* closing. The CERT advisory a few months
ago that had us add \n and \r to the list of characters to escape, for
example. That was directly to do with this problem; 

If you take out this functionality, anyone who has CGI scripts that use
the shell and command line arguments (of which, there are no doubt, many,
since they were included with NCSA httpd for all those years, and still
are) gets, to use a technical term, screwed.

I'd rather see the command line arguments just *removed*. It'd at least be
safe.

-- Alexei Kosut <akosut@organic.com>            The Apache HTTP Server 
   http://www.nueva.pvt.k12.ca.us/~akosut/      http://www.apache.org/


Mime
View raw message