[TUHS] shell escapes in utilities
G. Branden Robinson
g.branden.robinson at gmail.com
Tue Aug 1 22:31:39 AEST 2023
At 2023-08-01T13:38:55+0200, Leah Neukirchen wrote:
> > I got to wondering, based on the sendmail discussions, how many
> > shell escapes have appeared over the years?
> >
> > uucp
> > sendmail
> > xdvi : "The "allowShell" option enables the shell escape in PostScript specials"
>
> From the top of my head, where it can be disabled:
>
> ghostscript (see above)
> tex (write18)
> ed/ex/vi
> nethack
And the *roffs of course. nroff/troff/groff, with the `sy` (system(3))
and `pi` (popen(3)) requests. pic(1) as well ("sh").
groff has, since version 1.12 in 1999, disabled these features by
default; the '-U' ("unsafe") command-line option reënables them. It
added some additional unsafe requests for arbitrary stream I/O, `open`,
`opena` (open with append), and `pso` (`so` for pipeline output).
I recently learned of a limitation in the way AT&T and GNU *roffs, at
least, construct the string `sy` passes passes to system(3), which makes
certain things impossible. Unfortunately it forecloses useful
applications, not any particularly malicious ones.
There is a problem with trying to embed true newlines into the
arguments of a `sy` request. The C++ function that GNU troff uses
to assemble the command string (character by character) _does not
recognize C/C++ string literal escape sequences_. This means that
you _cannot_ embed "\n" in `sy`'s arguments and have it survive, as
a newline character, into the command string passed to the standard
C library's system(3) function. ("A\nB" gets encoded as 'A', '\\',
'n', 'B', not 'A', '\n', 'B'.) Unfortunately, this appears to be
AT&T troff-compatible behavior. But it means that you _cannot_
portably construct multi-line replacement text for sed's 's'
command. (Other sed commands like 'a', 'c', and 'i' will be
similarly affected.) See Savannah #64071.
AT&T troff obviously wasn't written in C++, so this would appear to be
an instance of independent oversight. (Where James Clark had gripes
about AT&T troff behavior, he left them in source code comments.)
I aim to fix this. If I can write an arbitrary shell command, then I
darn well ought to be able to embed an arbitrary sed script in that
shell command (without needing a GNU sed extension to embed newlines).
Regards,
Branden
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.tuhs.org/pipermail/tuhs/attachments/20230801/26e4529c/attachment.sig>
More information about the TUHS
mailing list