Hylafax Mailing List Archives
|
[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
Re: [hylafax-users] [hylafax-devel] Re: textfmt picky about filenames?
On Tue, Jun 17, 2003 at 03:09:57PM -0400, Jay R. Ashworth wrote:
> > sendfax -D -m -k "now +72 hours" -n -f 'user@host.com' -d '55512123' "foo^bar"
> > sh: foo: not found
> > sh: bar: cannot open
> > Error converting data; command was "/opt/hylafax/sbin/textfmt -B -f
> > Courier-Bold -p 11 -s default >/tmp//sndfaxQ_aaL5 < foo^bar"
> >
> > However, when I run the textfmt command as displayed, it works. So
> > somewhere in the handoff between sendfax and textfmt, the carat is
> > throwing a wrench in. Truss says its trying to exec 'bar' and open()
> > 'foo':
>
> Looks like you're using a shell old enough that ^ is a synonym for |,
> and it has, I think, the highest parsing priority. Why it's going inside
> the quotes, I don't know...
>
> Oh: Look on that last line; sendfax is shelling to textfmt...
Yep; sanitized the damn comment right off the email address.
I didn't want to put this on the -users copy of the reply: this is a
security bug; users can specify a malicious filename to sendfax, and
get it to shell it out and do Bad Things.
What the impact is, I'm not sure; is sendfax suid?
In any event, a spot to check.
Cheers,
-- jra
--
Jay R. Ashworth jra@baylink.com
Member of the Technical Staff Baylink RFC 2100
The Suncoast Freenet The Things I Think
Tampa Bay, Florida http://baylink.pitas.com +1 727 647 1274
OS X: Because making Unix user-friendly was easier than debugging Windows
-- Simon Slavin, on a.f.c
____________________ HylaFAX(tm) Users Mailing List _______________________
To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@hylafax.org < /dev/null
*To learn about commercial HylaFAX(tm) support, mail sales@hylafax.org.*