[pmwiki-users] Faster searches and categories

Martin Fick fick at fgm.com
Mon Sep 12 15:27:15 CDT 2005


> As an aside, I'm concerned that the $ginclp variable in 
> grepsearch.php makes it possible for anyone to execute 
> arbitrary commands on the server-- consider the effect of
> (if you attempt this, do it on a BACKUP!):
> 
>     (:pagelist 'foo bar ; rm -rf . ; echo' :)
> 
> which I think causes the executed shell command to become
> 
>     cd wiki.d; F=`find . -type f |grep -v '^\./\.'`; 
>     grep -l -i -e foo bar ; rm -rf \. ; echo \$F |sed -es'|^.*/||g'
> 
> which would be a really Bad Thing.  So there needs to be
> some sort of guards put in place to prevent that sort of
> thing from happening...

Hmm, I was not aware that users could use quotes to get
filenames through like that!  

This does not seem to happen because for some reason /s are
replaced with \s making paths unreadable.  I tried simpler 
safe versions and could not get them to work.

Do you think this simple fix would safeguard things better:

switch
    $ginclp .= "-e $ip ";

to
    $ginclp .= "-e '$ip' ";


or could single quotes get injected somehow?

-Martin




More information about the pmwiki-users mailing list