Great Circle Associates Majordomo-Users
(May 1995)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: [Q] Hiding lists......
From: dwolfe @ risc . sps . mot . com (Dave Wolfe)
Date: Thu, 4 May 1995 09:25:26 -0500 (CDT)
To: majordomo-users @ greatcircle . com (Majordomo user's mailing list)
Cc: majordomo-workers @ greatcircle . com (Majordomo developer's mailing list)
Reply-to: David Wolfe <david_wolfe @ risc . sps . mot . com>

[ I wrote: ]
> I'm not sure what the point is beyond ensuring that the specified
> regexps are delimited by // [...]
>
> The bigger problem is that this cursory check doesn't guarantee a
> valid regexp and the results of the eval when it's used are ignored,
> leading to more insidious silent failures.

After taking time to think about this a little more, it's obvious that
my patch opens a big security hole. For some installations, the list
config files must be considered "user input" and as such must not be
blindly eval'ed. Allow me to submit the following patch in place of the
one I posted yesterday. Granted, the regexp for a pattern match isn't
perfect (that would take Perl 5 or 6 separate regexps), but it plugs the
security hole, allows Perl 5 patterns, and any errors are caught by the
eval. (Warning: this has been only minimally tested; line numbers may
differ due to other changes.)

Index: config_parse.pl
===================================================================
RCS file: /cvs/tools/PD/majordomo/config_parse.pl,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 config_parse.pl
*** 1.1.1.1     1995/03/01 14:43:23
--- config_parse.pl     1995/05/04 14:16:56
***************
*** 963,978 ****
        local(@return_re, @re_errors, $re) = ();
   
        foreach $re (@re_array){
!             push(@re_errors,
!               "regular expression |$re| contains a ^A at line $.\n"), next
!                   if $re =~ /\001/;
! 
!                 push(@return_re, $re), next 
!                               if "$re" =~ /^\/[\@\!\w\.\|\\\?\<\>\$\*\^\+]+\/$
/;
!                 push(@return_re, $re), next if "$re" =~ /^$/;
! 
!             push(@re_errors,
!               "regexp |$re| does not match pattern at line $.\n");
        }
  
          if (@re_errors) {
--- 965,984 ----
        local(@return_re, @re_errors, $re) = ();
   
        foreach $re (@re_array){
!           if ($re =~ /\001/) {
!               push(@re_errors,
!                   "regular expression |$re| contains a ^A at line $.\n");
!           }
!           elsif ($re !~ m:^((/)|m([^\w\s])).*(\2|\3|[)}>\]])[a-z]*$:) {
!               push(@re_errors,
!                   "|$re| not a valid pattern match expression at line $.\n");
!           }
!           elsif (eval "'' =~ $re", $@) {
!               push(@re_errors, $@);
!           }
!           else {
!               push(@return_re, $re);
!           }
        }
  
          if (@re_errors) {

-- 
 Dave Wolfe    *Not a spokesman for Motorola*  (512) 891-3246
 Motorola MMTG  6501 Wm. Cannon Dr. W. OE112  Austin  TX  78735-8598

Indexed By Date Previous: Re: Problems with installing Majordomo 1.93
From: Dave Barr <barr@math.psu.edu>
Next: MD 1.93 and perl 5
From: beaudet@citi.doc.ca (Michel Beaudet [GSI])
Indexed By Thread Previous: Re: [Q] Hiding lists......
From: dwolfe@risc.sps.mot.com (Dave Wolfe)
Next: Majordomo aborts due to interrupted system calls
From: Dave Sill <de5@sws5.CTD.ORNL.GOV>

Google
 
Search Internet Search www.greatcircle.com