|Title||The p4 module has a security hole|
|Assigned user||Nick Barnes|
|Description||Any user could cause the replicator to run arbitrary shell commands by putting appropriate shell meta-characters in a jobname or Perforce user name.|
|Analysis||The replicator runs the command "p4 -G job -o %s" to get a job from Perforce, and "p4 -G user -o %s" to get details of a user. Either case is a security hole on Unix (and possibly on Windows, but I don't know enough about CMD.EXE to tell).|
Perforce jobnames can contain the Unix shell metacharacters semicolon, dollar, backquote, single-quote.
A solution would be for the p4 module to do a fork/exec when running a Perforce command (so that it never goes via the shell) but of course this will only work on Unix. So there would have to be some operating-system dependent code in the p4 module.
|Evidence||I noticed this while working on job000049.|
|Created by||Gareth Rees|
|Created on||2000-11-30 13:07:22|
|Last modified by||Nick Barnes|
|Last modified on||2018-07-05 17:27:23|
|History||2000-11-30 GDR Created. Agreed priority with RB.|
2001-03-13 GDR Added reference to issue.cgi.
2018-07-05 NB Suspended because the P4DTI is obsolete.