| Title | The p4 module has a security hole |
| Status | suspended |
| Priority | optional |
| Assigned user | Nick Barnes |
| Organization | Ravenbrook |
| Description | Any user could cause the replicator to run arbitrary shell commands by putting appropriate shell meta-characters in a jobname or Perforce user name. |
| Analysis | The replicator runs the command "p4 -G job -o %s" to get a job from Perforce, and "p4 -G user -o %s" to get details of a user. Either case is a security hole on Unix (and possibly on Windows, but I don't know enough about CMD.EXE to tell). Perforce jobnames can contain the Unix shell metacharacters semicolon, dollar, backquote, single-quote. A solution would be for the p4 module to do a fork/exec when running a Perforce command (so that it never goes via the shell) but of course this will only work on Unix. So there would have to be some operating-system dependent code in the p4 module. See < http://www.ravenbrook.com/infosys/cgi/issue.cgi> for a (simplex) implementaton of a p4 interface on unix that uses exec() to bypass the shell. A duplex implementation should be straightforward to write; it needs another pipe/dup2/fdopen to make the input connection to p4. GDR 2001-03-13. |
| How found | inspection |
| Evidence | I noticed this while working on job000049. |
| Created by | Gareth Rees |
| Created on | 2000-11-30 13:07:22 |
| Last modified by | Nick Barnes |
| Last modified on | 2018-07-05 17:27:23 |
| History | 2000-11-30 GDR Created. Agreed priority with RB. 2001-03-13 GDR Added reference to issue.cgi. 2018-07-05 NB Suspended because the P4DTI is obsolete. |