[pmwiki-users] Faster searches and categories
Martin Fick
fick at fgm.com
Mon Sep 12 15:27:15 CDT 2005
> As an aside, I'm concerned that the $ginclp variable in
> grepsearch.php makes it possible for anyone to execute
> arbitrary commands on the server-- consider the effect of
> (if you attempt this, do it on a BACKUP!):
>
> (:pagelist 'foo bar ; rm -rf . ; echo' :)
>
> which I think causes the executed shell command to become
>
> cd wiki.d; F=`find . -type f |grep -v '^\./\.'`;
> grep -l -i -e foo bar ; rm -rf \. ; echo \$F |sed -es'|^.*/||g'
>
> which would be a really Bad Thing. So there needs to be
> some sort of guards put in place to prevent that sort of
> thing from happening...
Hmm, I was not aware that users could use quotes to get
filenames through like that!
This does not seem to happen because for some reason /s are
replaced with \s making paths unreadable. I tried simpler
safe versions and could not get them to work.
Do you think this simple fix would safeguard things better:
switch
$ginclp .= "-e $ip ";
to
$ginclp .= "-e '$ip' ";
or could single quotes get injected somehow?
-Martin
More information about the pmwiki-users
mailing list