P4DTI issue job000099

TitleThe p4 module has a security hole
Assigned userNick Barnes
DescriptionAny user could cause the replicator to run arbitrary shell commands by putting appropriate shell meta-characters in a jobname or Perforce user name.
AnalysisThe replicator runs the command "p4 -G job -o %s" to get a job from Perforce, and "p4 -G user -o %s" to get details of a user. Either case is a security hole on Unix (and possibly on Windows, but I don't know enough about CMD.EXE to tell).
Perforce jobnames can contain the Unix shell metacharacters semicolon, dollar, backquote, single-quote.
A solution would be for the p4 module to do a fork/exec when running a Perforce command (so that it never goes via the shell) but of course this will only work on Unix. So there would have to be some operating-system dependent code in the p4 module.
See <http://www.ravenbrook.com/infosys/cgi/issue.cgi> for a (simplex) implementaton of a p4 interface on unix that uses exec() to bypass the shell. A duplex implementation should be straightforward to write; it needs another pipe/dup2/fdopen to make the input connection to p4. GDR 2001-03-13.
How foundinspection
EvidenceI noticed this while working on job000049.
Created byGareth Rees
Created on2000-11-30 13:07:22
Last modified byNick Barnes
Last modified on2018-07-05 17:27:23
History2000-11-30 GDR Created. Agreed priority with RB.
2001-03-13 GDR Added reference to issue.cgi.
       2018-07-05 NB Suspended because the P4DTI is obsolete.