Sorry, too much hassle to do quoting correctly here:-)
test.sh '';rm -rf/#'
Have you tried this? This is not even passing the parameter to the test.sh and would barf your system as well if you use an equivalent test.pl So please try your claims before using them in arguments.
There is no real exec call in shell. Even using the exec instruction explicitely, you won't execute parameters.
> call a shell script from something which is not a shell
Maybe you you meant the reverse? Anyway, in shell you call stuff which is not a shell from the shell. And this works wery well even when you're ignoring security concerns. If you don't use CPAN, you will call the shell from perl. At least that's what most users do: system() I recently directed someone to use CPAN to get his work done, and the resulting perl was just an accumulation of various calls to other utilities. And we paid for that guy! Injections galore! Transforming the perl into simple shell (what it in effect is) and the injetions are gone. Other possibility is of course use all the fancy stuff from CPAN to do the job.
But why is everybody using system()? What is wrong with exec()? And then you have the usage of `` inside perl which I come across quite often.
Perl has way too many places where you can build bad code. shell has just a few.
> Erm... If $command is constructed insecurely, you have precisely the same problem in the shell as in Perl. No it's not. Let's make an insecure command (mind the usage of single quotes, else the example is futile):
command='cat file;$(ls > list)' $command
cat: file;$(ls: No such file or directory cat: >: No such file or directory cat: list): No such file or directory
Oh dang! It did not do what you thought.
> In other words, you're still allowing the user to pass arbitrary parameters to convert, which is still a bug. does it corrupt the system, well no. yes it's a bug (bad coding style, oh that statement I know as well from the perl world).
> And the solution is trivial -- use sysopen, no sanitizing needed. which should indeed be the default, screw the open call, it's bringing problems. wizards should use open, beginners use sysopen. But in the real world it's the reverse.
> TFA is suggesting we call "convert" from whatever we wrote our web service in, while I'm suggesting we use native bindings. In this I'm OK with you, if someone wants to call convert instead of a binding, he should write the webservice in a language meant to be used to call convert, and that's shell. Else he should use a language which has imagemagick bindings or don't do it at all.
It starts to become pointless to discuss with you. Come on...
echo `rm *`
is NOT the same as
test.sh '`rm *`'
If you don't believe me, do first your tests.
Also arguing that convert may or may not have unexpected behaviour does not differ if you use perl or bash to call it. We discuss the problematic of perl ADDING insecurity compared to shell. Because if you have that `rm *` parameter in the perl program, you will actually execute it, but not in shell!
The equivalent perl construct written in shell is:
eval $command
You never do that in shell, as
$command
works as well. And then you are safe. If you have read my previous post, I *did* execute it with spaces. Rememver the
test.sh "; rm -rf/; #"
It did not execute anything. Just convert did not know anything about the -r parameter. In perl it will have executed. Sanitizing needed for `, and for $ and for | and for > and, and, and. The list of problematic characters is long. I once tried to call convert with allowing to pass some convert parameters by the user too. To do it safely, it was a huge headache. So I resorted to only allowing very specific parameters.
In shell, as well as in perl, you need to know convert's parameter list. Either kill any - in the parameters or simply pattern match away the specific option which makes convert dangerous (I did not find any, looked for writing a file). But (repeating myself) in shell you do not need to know anything about something else (`$|>...) which has nothing to do with convert.
More specific case: awk That's probably the closest you can get to inadvertently execute code (yeah I help you there in your arguing...).
you can much more easily inject natsy things into perl or php than into shell.
Erm... how so?
Give the perl script the following filename to open: "|rm *"
Have you ever seen a shell executing data?
Uhm... yes? That's what they do. Ever heard of a shell script?
No shells execute shellcode, like perl executes perl code.
Shells don't execute their parameters. Perl does (see above).
Give a shell "|rm *" and it will just try to open the file "./rm *"
Give it "$(rm *)" and still it's just complaining with $(rm: file not found and *): file not found. Or if the script is well written it barfs with $(rm *): file not found. Nothing is executed.
I would need to call "sh" or "eval" to make this work.
So imagine a hypothetical script in which you do something like this stupid little example:
my $cmdline = "convert $x.svg $x.png"; system($cmdline);
And in this case, $x is user input. Well, now you're screwed if anyone enters spaces, so you do this:
my $cmdline = "convert '$x.svg' $x.png'";
Now you've got a classic SQL-injection-style vulnerability. What happens if a user sets $x to "'; rm -rf/; #"? That could be more devastating than a traditional SQL injection vulnerability.
So how, exactly, is Perl more vulnerable than that?
The problem with your example is the in shell you do not need to use the clumsy "commandline=:..." construct.
It rather looks like this:
#!/bin/bash x="$1" convert $x.svg $x.png"
You can't "hack" that.
Or let's see with the ugly command in a variable method:
# test.sh "; rm -rf/; #" convert: unable to open image `;': No such file or directory @ blob.c/OpenBlob/2439. convert: unable to open image `rm': No such file or directory @ blob.c/OpenBlob/2439. convert: unrecognized option `-rf' @ convert.c/ConvertImageCommand/2177.
On the other side, is perl which calls without you knowing "sh" on simple things as opening a file.
Sorry, I have to call bullshit on this. Here's the perldoc on 'open'. It tells you exactly under which circumstances the filename will be interpreted as a command. If you don't want to sanitize a pipe character from the beginning and end of your string, there's always sysopen, which is mapped directly to fopen -- if this is vulnerable, then every single program on your system is vulnerable.
If you can't be bothered to RTFM, what business do you have programming?
And again, how is this more vulnerable than the point at which you call the shell from a perl script?
With shell you don't need to read any manual or sanitize fancy characters. You just write your program.
If perl would have been programmed with security in mind, the default (i.e. empty mode) would have been a forced '<' and if you want to call a program, you should need to make it '<|' or '>|' or anything funky like that.
But no, it's too user friendly and the many scripts around who read files with "open MyFile,$filename;" are a common occurance.
A random search skipping the links from perl.org brings up quickly a first instruction example how to read a file. http://www.pageresource.com/cgirec/ptut14.htm See, no '<' here, and so beginners immediately write bad code. Irony is that this is even a webpage for how to write CGI scripts.
And we don't talk about my programming business but the thousands
you can much more easily inject natsy things into perl or php than into shell. Have you ever seen a shell executing data? I would need to call "sh" or "eval" to make this work. On the other side, is perl which calls without you knowing "sh" on simple things as opening a file.
So sorry, perl is more prone to injections as shell. Georges
I don't know if "library of congress" is a surface measure. I only know football fields. But maybe someone knows the size of the Library of Congress in terms of football fields so we could make the conversion.
Hey so I only have to update the PS3, the sony TV (Just one year old, come on!, and it is the top of the line model too!) and buy a couple of glasses. Do you have this as a bundle?
Oh, this is classified in the "will never happen" section?
I used my video camera to film a circus performance. The video was disabled because the sound from the loudspeakers was on my video and that sound was copyrighted music. At the same time, the same music title was spread around youtube in full glory with accompanying original video clip in dozens of copies and was not blocked. Why is my analog recording blocked and the digital 1:1 copies are not?
you can actually run audi and video over DVI. At least that's what my dreambox does over the DVI to HDMI cable. Seems the box simply puts the HDMI signal onto the DVI plug. Probably to not have to pay HDMI licensing costs.
roaming profiles are the worst way of a solution to this problem. Ever have to wait like 20 minutes to log in just because MSIE puts it's huge webcache into the profile. Oh no no... Profiles are great, but don't do them the "roaming" way, because that's the rowing way.
YES it was china who made fail Kopenhagen conference! They simply said no to everything. Really everything. Even to proposals like that Europe does even more CO2 reduction than planned. No, no,nonono, no and no. Bloody hell. Just skrew them!
if the code had been fixed in 1999 using reverse engineering, the developer should have seen that the field says 99 and not 63 So if 99 means 1999 then that 99 must be BCD. If of course the developer has never heard of what BCD is (most high level languages do not have that concept and today you only learn this stuff at school) then it's no suprise that he passed over this $99 representing 1999. Never questioning why he has to modify the code as $99+1=$9A and that would be fine for 2000...
On another note, some programs were indeed fixed like that. The BCD field, in 1999 was defined as hexadecimal number of years since 1846... This works fine until 2102
I plan doing this in software for my mobile disk. Have a small FAT, holding a vmware image and a player for mac (really soon now), win and linux. The second big partition is ext3 in a truecrypt container (mobile disk...). The image contains soft for doing nfs, smb and other accesses to the truecrypt container.
So plug the disk into any machine and start the vmware player: voila there's your data.
yes, solaris is horrible. It's only useful for install-and-forget. Never patch or upgrade. It's just plain simply impossible. If you want a package manager style update and patching system from a professional (means those big box mover guys) vendor go with HP-UX and AIX. *never* solaris. Or you can still stick with a serious linux distro.
Windows? Forget it. "you need soft MS-xy for this feature". OK, I install that. Start... "you need.NET frameork for soft MS-xy to work". Come on! Where are the dependencies and repository features in windows? And this is in freaking win2008 for 100% MS only products.
well it's all nice but I don't like clicking every time I want to chenge application. Better have them in separate windows. So it would be rather better to have tabbed desktops, or just plain simple desktops. Oh we already have that:-)
What I really like is focus follows mouse without automatic window raising. That's my most effective working setup.
Why can't I connect a USB harddisk to my phone? Why can't I connect my netbook as harddisk to my PC? (ok, file share may work, but it's more cumbersome than just plug the USB cable)
So what I would like is a device which can act as a usb storage but at the same time also accept other usb storage devices connected to it. Thanks for USB to be an assymetic protocol, why didn't they do it like firewire in the first place?
Slashdot Mirror
Sorry, too much hassle to do quoting correctly here :-)
test.sh '';rm -rf /#'
Have you tried this?
This is not even passing the parameter to the test.sh and would barf your system as well if you use an equivalent test.pl
So please try your claims before using them in arguments.
There is no real exec call in shell. Even using the exec instruction explicitely, you won't execute parameters.
> call a shell script from something which is not a shell
Maybe you you meant the reverse?
Anyway, in shell you call stuff which is not a shell from the shell. And this works wery well even when you're ignoring security concerns.
If you don't use CPAN, you will call the shell from perl. At least that's what most users do: system()
I recently directed someone to use CPAN to get his work done, and the resulting perl was just an accumulation of various calls to other utilities. And we paid for that guy!
Injections galore! Transforming the perl into simple shell (what it in effect is) and the injetions are gone.
Other possibility is of course use all the fancy stuff from CPAN to do the job.
But why is everybody using system()? What is wrong with exec()?
And then you have the usage of `` inside perl which I come across quite often.
Perl has way too many places where you can build bad code.
shell has just a few.
> Erm... If $command is constructed insecurely, you have precisely the same problem in the shell as in Perl.
No it's not.
Let's make an insecure command (mind the usage of single quotes, else the example is futile):
command='cat file;$(ls > list)'
$command
cat: file;$(ls: No such file or directory
cat: >: No such file or directory
cat: list): No such file or directory
Oh dang! It did not do what you thought.
> In other words, you're still allowing the user to pass arbitrary parameters to convert, which is still a bug.
does it corrupt the system, well no. yes it's a bug (bad coding style, oh that statement I know as well from the perl world).
> And the solution is trivial -- use sysopen, no sanitizing needed.
which should indeed be the default, screw the open call, it's bringing problems. wizards should use open, beginners use sysopen. But in the real world it's the reverse.
> TFA is suggesting we call "convert" from whatever we wrote our web service in, while I'm suggesting we use native bindings.
In this I'm OK with you, if someone wants to call convert instead of a binding, he should write the webservice in a language meant to be used to call convert, and that's shell. Else he should use a language which has imagemagick bindings or don't do it at all.
Georges
It starts to become pointless to discuss with you. Come on...
echo `rm *`
is NOT the same as
test.sh '`rm *`'
If you don't believe me, do first your tests.
Also arguing that convert may or may not have unexpected behaviour does not differ if you use perl or bash to call it. We discuss the problematic of perl ADDING insecurity compared to shell.
Because if you have that `rm *` parameter in the perl program, you will actually execute it, but not in shell!
The equivalent perl construct written in shell is:
eval $command
You never do that in shell, as
$command
works as well. And then you are safe.
If you have read my previous post, I *did* execute it with spaces. Rememver the
test.sh "; rm -rf /; #"
It did not execute anything. Just convert did not know anything about the -r parameter. In perl it will have executed. Sanitizing needed for `, and for $ and for | and for > and, and, and. The list of problematic characters is long. I once tried to call convert with allowing to pass some convert parameters by the user too. To do it safely, it was a huge headache. So I resorted to only allowing very specific parameters.
In shell, as well as in perl, you need to know convert's parameter list. Either kill any - in the parameters or simply pattern match away the specific option which makes convert dangerous (I did not find any, looked for writing a file). But (repeating myself) in shell you do not need to know anything about something else (`$|>...) which has nothing to do with convert.
More specific case: awk ...).
That's probably the closest you can get to inadvertently execute code (yeah I help you there in your arguing
calling awk with
awk '/pattern/ {print '$variable'}' is bad
but this is like you should do it and it is safe
awk -v variable="$variable" '{/pattern/ {print variable}'
Georges
you can much more easily inject natsy things into perl or php than into shell.
Erm... how so?
Give the perl script the following filename to open: "|rm *"
Have you ever seen a shell executing data?
Uhm... yes? That's what they do. Ever heard of a shell script?
No shells execute shellcode, like perl executes perl code. Shells don't execute their parameters. Perl does (see above). Give a shell "|rm *" and it will just try to open the file "./rm *" Give it "$(rm *)" and still it's just complaining with $(rm: file not found and *): file not found. Or if the script is well written it barfs with $(rm *): file not found. Nothing is executed.
I would need to call "sh" or "eval" to make this work.
So imagine a hypothetical script in which you do something like this stupid little example:
And in this case, $x is user input. Well, now you're screwed if anyone enters spaces, so you do this:
Now you've got a classic SQL-injection-style vulnerability. What happens if a user sets $x to "'; rm -rf /; #"? That could be more devastating than a traditional SQL injection vulnerability.
So how, exactly, is Perl more vulnerable than that?
The problem with your example is the in shell you do not need to use the clumsy "commandline=:..." construct. It rather looks like this:
You can't "hack" that.
Or let's see with the ugly command in a variable method:
test run:
On the other side, is perl which calls without you knowing "sh" on simple things as opening a file.
Sorry, I have to call bullshit on this. Here's the perldoc on 'open'. It tells you exactly under which circumstances the filename will be interpreted as a command. If you don't want to sanitize a pipe character from the beginning and end of your string, there's always sysopen, which is mapped directly to fopen -- if this is vulnerable, then every single program on your system is vulnerable.
If you can't be bothered to RTFM, what business do you have programming?
And again, how is this more vulnerable than the point at which you call the shell from a perl script?
With shell you don't need to read any manual or sanitize fancy characters. You just write your program. If perl would have been programmed with security in mind, the default (i.e. empty mode) would have been a forced '<' and if you want to call a program, you should need to make it '<|' or '>|' or anything funky like that. But no, it's too user friendly and the many scripts around who read files with "open MyFile,$filename;" are a common occurance.
A random search skipping the links from perl.org brings up quickly a first instruction example how to read a file. http://www.pageresource.com/cgirec/ptut14.htm See, no '<' here, and so beginners immediately write bad code. Irony is that this is even a webpage for how to write CGI scripts.
And we don't talk about my programming business but the thousands
site:ubuntuforums.org term1 term2
Why they insist of not simply putting a google search link on the forums is a mystery to me.
yes
you can much more easily inject natsy things into perl or php than into shell.
Have you ever seen a shell executing data? I would need to call "sh" or "eval" to make this work.
On the other side, is perl which calls without you knowing "sh" on simple things as opening a file.
So sorry, perl is more prone to injections as shell.
Georges
I don't know if "library of congress" is a surface measure. I only know football fields. But maybe someone knows the size of the Library of Congress in terms of football fields so we could make the conversion.
Hey so I only have to update the PS3, the sony TV (Just one year old, come on!, and it is the top of the line model too!) and buy a couple of glasses.
Do you have this as a bundle?
Oh, this is classified in the "will never happen" section?
As long as the comments going with the code are not copied verbatim, I don't really see an issue.
I used my video camera to film a circus performance. The video was disabled because the sound from the loudspeakers was on my video and that sound was copyrighted music.
At the same time, the same music title was spread around youtube in full glory with accompanying original video clip in dozens of copies and was not blocked. Why is my analog recording blocked and the digital 1:1 copies are not?
Faire use, my ass!
is called "Karl Theodor Maria Nikolaus Johann Jacob Philipp Franz Joseph Sylvester Freiherr von und zu Guttenberg"
http://en.wikipedia.org/wiki/Karl-Theodor_zu_Guttenberg
I tried to post that to the comments of TFA but it does not work.
you can actually run audi and video over DVI. At least that's what my dreambox does over the DVI to HDMI cable. Seems the box simply puts the HDMI signal onto the DVI plug. Probably to not have to pay HDMI licensing costs.
in fact the Rubics Cube being a *cube* one could simply say "a 3".
roaming profiles are the worst way of a solution to this problem. Ever have to wait like 20 minutes to log in just because MSIE puts it's huge webcache into the profile. Oh no no...
Profiles are great, but don't do them the "roaming" way, because that's the rowing way.
yes, it's like you stop typing on your keyboard and there are still characters diplayed on screen.
they are NOT my friends!
And I don't need them to poinson my Kids with dangerous toys.
YES ,nonono, no and no.
it was china who made fail Kopenhagen conference! They simply said no to everything. Really everything. Even to proposals like that Europe does even more CO2 reduction than planned. No, no
Bloody hell. Just skrew them!
if the code had been fixed in 1999 using reverse engineering, the developer should have seen that the field says 99 and not 63
So if 99 means 1999 then that 99 must be BCD.
If of course the developer has never heard of what BCD is (most high level languages do not have that concept and today you only learn this stuff at school) then it's no suprise that he passed over this $99 representing 1999. Never questioning why he has to modify the code as $99+1=$9A and that would be fine for 2000...
On another note, some programs were indeed fixed like that. The BCD field, in 1999 was defined as hexadecimal number of years since 1846 ... This works fine until 2102
I plan doing this in software for my mobile disk.
Have a small FAT, holding a vmware image and a player for mac (really soon now), win and linux.
The second big partition is ext3 in a truecrypt container (mobile disk...).
The image contains soft for doing nfs, smb and other accesses to the truecrypt container.
So plug the disk into any machine and start the vmware player: voila there's your data.
yes, solaris is horrible. It's only useful for install-and-forget. Never patch or upgrade. It's just plain simply impossible.
If you want a package manager style update and patching system from a professional (means those big box mover guys) vendor go with HP-UX and AIX. *never* solaris.
Or you can still stick with a serious linux distro.
Windows? Forget it. "you need soft MS-xy for this feature". OK, I install that. Start... "you need .NET frameork for soft MS-xy to work". Come on! Where are the dependencies and repository features in windows? And this is in freaking win2008 for 100% MS only products.
Delete the AS from the routing tables and don't peer with them.
well it's all nice but I don't like clicking every time I want to chenge application. Better have them in separate windows. :-)
So it would be rather better to have tabbed desktops, or just plain simple desktops. Oh we already have that
What I really like is focus follows mouse without automatic window raising. That's my most effective working setup.
There are no more linux based netbooks available in european shops.
Microsoft has won!
Why can't I connect a USB harddisk to my phone?
Why can't I connect my netbook as harddisk to my PC? (ok, file share may work, but it's more cumbersome than just plug the USB cable)
So what I would like is a device which can act as a usb storage but at the same time also accept other usb storage devices connected to it.
Thanks for USB to be an assymetic protocol, why didn't they do it like firewire in the first place?
nice to mention your email which is linked to that slashdot story. But...
"Object not found!
The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again.
If you think this is a server error, please contact the webmaster.
Error 404
www.tribrothers.com
Thu Nov 26 02:52:31 2009
Apache/2.0.54 (Linux/SUSE) "
Well, so far for "the Internet never forgets anything"
are browsers without cookie managers now illegal?
No probably not
but the text says that "consent" is implicitly given by the user if he uses a cookie manager.
"the user's consent to processing may be expressed by using the appropriate settings of a browser or other application"