On Thu, Jan 23, 2020 at 03:32:35PM +0100, David Tapia wrote:
Hi all,
Process.spawn has a vulnerability:
Process spawn(string command, void|Stdio.Stream stdin, void|Stdio.Stream stdout, void|Stdio.Stream stderr, // These aren't used. Seems to be part of something unfinished. /mast //function|void cleanup, mixed ... args )
[...]
// Fix ?
*return Process(({ "/bin/sh", "-c" }) + split_quoted_string(command),data);*
This is an inherent problem with system(3) and similar functions. The solution is not to add stuff on top of them, as you'd break whatever code is _already_ doing the shell quoting outside of this call, because the real command would end up quoted twice. The solution is to use an API that expects a list of arguments and doesn't do any parsing behind the scenes. In this case it's most probably Process.create_process() or its descendants.
Actually, Pike has way too many functions and classes for spawning new processes. A somewhat unfortunate circumstance.