Re: [tlug] Re: tlug] Security question with grep/e...

[Alain Hoang <hoanga@example.com>]

On Mar 23, 2004, at 4:28 PM, Stephen J. Turnbull wrote:

>>>>>> "Jim" == Jim Breen <Jim.Breen@example.com> writes:
>
>     Jim> Can you be more specific about the risks? As I understand it,
>     Jim> doing a system("foobar par1 par2"); just stokes up /bin/sh
>     Jim> under my account (it's usually cgiwrap or equivalent) and
>     Jim> runs foobar.
>
> [snip lots of really good info]

	Wow, I learned a lot myself.

	I believe Dr. Turnbull covered everything I could possibly think of
and more in terms of what to worry about from a security aspect of
running a CGI script that pipes the output from an egrep (with
proper escapes).

	I would just like to add that on the surface the egrep idea seems
portable but there seems to be those small niggling unknowns that
bother me if I knew this was going to be mirrored across many different
types of architectures.  Even though egrep is 'available' on all 
machines
as mentioned earlier, the implementation of them all slightly differs
so one regexp that seems reasonable on your test machine behaves
oddly on another because the egrep doesn't support one set.  Or
perhaps another system DOES have egrep but it's located somewhere
else and it's not the first one that is called on the PATH in the CGI.
At this point you might decide just go with GNU egrep but then you
now have the issue of calling GNU egrep reliably on a large
set of machines that might have stuck GNU egrep in lots of different
places.   You also get the problem of does GNU egrep have any
security exploits?   Which version of GNU egrep is on that machine?
Or you try to support a subset that all these versions of egrep support.
That's a bit of reading on different versions of egrep.  At this point 
you're
probably better off writing your own program rather than trying to 
patch up
all these systems.  Or wondering if Perl is starting to become a more
viable option :-)

> I don't think the risks are all that high, but then I don't personally
> have the visibility that some of the Monash mirrors do.
>

	I think this brings up another good point.  The more visible
you are the more the arrows get pointed at you.  I've found
Monash a really useful resource for years as a student of Japanese.
I think that visibility brings with it nuisances that think it would be 
great
to take down a useful site.


Just my 2Y
Alain

  Or why you turn off your computer by clicking "start"? -Joel on 
Software