Debian Bug report logs - #357239
swish-e: _pdf2html.pl filter example needs to quote filenames

version graph

Package: swish-e; Maintainer for swish-e is Ludovic Drolez <ldrolez@debian.org>; Source for swish-e is src:swish-e.

Reported by: "Alexander Buerger" <buerger@iskp.uni-bonn.de>

Date: Thu, 16 Mar 2006 10:48:13 UTC

Severity: normal

Tags: patch

Found in version swish-e/2.4.3-3

Fixed in version swish-e/2.4.3-5

Done: Ludovic Drolez <ldrolez@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ludovic Drolez <ldrolez@debian.org>:
Bug#357239; Package swish-e. Full text and rfc822 format available.

Acknowledgement sent to "Alexander Buerger" <buerger@iskp.uni-bonn.de>:
New Bug report received and forwarded. Copy sent to Ludovic Drolez <ldrolez@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Alexander Buerger" <buerger@iskp.uni-bonn.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: swish-e: _pdf2html.pl filter example needs to quote filenames
Date: Thu, 16 Mar 2006 11:36:37 +0100
Package: swish-e
Version: 2.4.3-3
Severity: normal
Tags: patch


Running swish-e on pdf files containing parentheses in their names with the
_pdf2html.pl filter example fails because the filenames are not quoted
when calling the pdf utilities. This patch fixes the problem:

--- /usr/share/doc/swish-e/examples/filter-bin/_pdf2html.pl
2003-04-14 18:51:06.000000000 +0200
+++ _pdf2html.pl        2006-03-16 11:29:51.049932224 +0100
@@ -41,7 +41,7 @@
 
 my %metadata;
 
-open F, "pdfinfo $file |" || 
+open F, "pdfinfo '$file' |" || 
 die "$0: Failed to open $file $!";
 
 while (<F>) {
@@ -81,7 +81,7 @@
 
 # Might be faster to use sysread and read in larger blocks
 
-open F, "pdftotext $file - |" or die "$0: failed to run pdftotext: $!";
+open F, "pdftotext '$file' - |" or die "$0: failed to run pdftotext:
$!";
 print escapeHTML($_) while ( <F> );
 close F or die "$0: Failed close on pipe to pdftotext for $file: $?";
 

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-1-k7
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) (ignored: LC_ALL set to de_DE)

Versions of packages swish-e depends on:
ii  debconf [debconf-2.0]    1.4.71          Debian configuration management sy
ii  libc6                    2.3.6-3         GNU C Library: Shared libraries an
ii  libpcre3                 6.4-1.1         Perl 5 Compatible Regular Expressi
ii  libxml2                  2.6.23.dfsg.2-2 GNOME XML library
ii  zlib1g                   1:1.2.3-11      compression library - runtime

Versions of packages swish-e recommends:
ii  libmime-types-perl            1.16-1     Perl extension for determining MIM
ii  perl                          5.8.8-3    Larry Wall's Practical Extraction 
ii  perl-base [perlapi-5.8.7]     5.8.8-3    The Pathologically Eclectic Rubbis

-- debconf information:
* swish-e/configuration-note:



Information forwarded to debian-bugs-dist@lists.debian.org, Ludovic Drolez <ldrolez@debian.org>:
Bug#357239; Package swish-e. Full text and rfc822 format available.

Acknowledgement sent to Brian May <bam@debian.org>:
Extra info received and forwarded to list. Copy sent to Ludovic Drolez <ldrolez@debian.org>. Full text and rfc822 format available.

Message #10 received at 357239@bugs.debian.org (full text, mbox):

From: Brian May <bam@debian.org>
To: 357239@bugs.debian.org
Cc: Alexander Buerger <buerger@iskp.uni-bonn.de>
Subject: swish-e: quoting very insufficient
Date: Wed, 22 Mar 2006 12:18:55 +1100
Unfortunately the patch given is insufficient for the general case.

It appears that swish-e spawns everything through the shell "sh -c
'command'"[1]. Parameters within command are not quoted.

This has serious implications, for example when scanning the file:

/jade/fileserver/home/ivtintranet/forgetter/sitebuilder/memory/data/I can't rememeber/hello.ps

using the Filter:

FileFilter .ps pstotext

The command line becomes:

[pid 10852] execve("/bin/sh", ["sh", "-c", "pstotext \'/jade/fileserver/home/ivtintranet/forgetter/sitebuilder/memory/data/I can\'t rememeber/hello.ps\' \'/jade/fileserver/home/ivtintranet/forgetter/sitebuilder/memory/data/I can\'t rememeber/hello.ps\'"], [/* 23 vars */]) = 0

which in turn spawns:

[pid 10852] execve("/usr/bin/pstotext", ["pstotext", "/jade/fileserver/home/ivtintranet/forgetter/sitebuilder/memory/data/I cant", "rememeber/hello.ps /jade/fileserver/home/ivtintranet/forgetter/sitebuilder/memory/data/I", "cant rememeber/hello.ps"], [/* 22 vars */]) = 0

Which obviously fails.

This could be a security issue if indexing files from untrusted source,
as attacker could pick filenames like

hi';  rm -rf /; 'echo there

and trick swish-e to run sh in such a way it runs the rm -rf command.

There is also a similar bug within pstotext, see bug #356988 - the
solution might be similar.

An alternative solution is what swish++ does: it quotes all special
characters before parsing them to the shell, however far safer and
simpler IMHO is not to run the shell in the first place.

Notes:
[1] I would sooner it didn't run the shell- running the shell wastes
time and probably isn't required for most (if not all filters).
-- 
Brian May <bam@debian.org>




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#357239; Package swish-e. Full text and rfc822 format available.

Acknowledgement sent to Ludovic Drolez <ldrolez@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #15 received at 357239@bugs.debian.org (full text, mbox):

From: Ludovic Drolez <ldrolez@debian.org>
To: Alexander Buerger <buerger@iskp.uni-bonn.de>, 357239@bugs.debian.org
Subject: Re: Bug#357239: swish-e: _pdf2html.pl filter example needs to quote filenames
Date: Fri, 23 Jun 2006 15:03:45 +0200
On Thu, Mar 16, 2006 at 11:36:37AM +0100, Alexander Buerger wrote:
> -open F, "pdfinfo $file |" || 
> +open F, "pdfinfo '$file' |" || 

Hi !

It seems that, open F, "pdfinfo \"$file\" , works even better (no
problems with single quotes in file names).

Could you confirm ?

Cheers,

-- 
Ludovic Drolez.

http://www.palmopensource.com       - The PalmOS Open Source Portal
http://www.drolez.com      - Personal site - Linux and PalmOS stuff



Reply sent to Ludovic Drolez <ldrolez@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Alexander Buerger" <buerger@iskp.uni-bonn.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 357239-close@bugs.debian.org (full text, mbox):

From: Ludovic Drolez <ldrolez@debian.org>
To: 357239-close@bugs.debian.org
Subject: Bug#357239: fixed in swish-e 2.4.3-5
Date: Thu, 14 Sep 2006 14:17:55 -0700
Source: swish-e
Source-Version: 2.4.3-5

We believe that the bug you reported is fixed in the latest version of
swish-e, which is due to be installed in the Debian FTP archive:

swish-e-dev_2.4.3-5_i386.deb
  to pool/main/s/swish-e/swish-e-dev_2.4.3-5_i386.deb
swish-e_2.4.3-5.diff.gz
  to pool/main/s/swish-e/swish-e_2.4.3-5.diff.gz
swish-e_2.4.3-5.dsc
  to pool/main/s/swish-e/swish-e_2.4.3-5.dsc
swish-e_2.4.3-5_i386.deb
  to pool/main/s/swish-e/swish-e_2.4.3-5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 357239@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ludovic Drolez <ldrolez@debian.org> (supplier of updated swish-e package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 11 Sep 2006 17:32:11 +0200
Source: swish-e
Binary: swish-e swish-e-dev
Architecture: source i386
Version: 2.4.3-5
Distribution: unstable
Urgency: low
Maintainer: Ludovic Drolez <ldrolez@debian.org>
Changed-By: Ludovic Drolez <ldrolez@debian.org>
Description: 
 swish-e    - Simple Web Indexing System for Humans - Enhanced
 swish-e-dev - Simple Web Indexing System for Humans - Enhanced
Closes: 357239 381676 381853
Changes: 
 swish-e (2.4.3-5) unstable; urgency=low
 .
   * Added Open Document support in the example shown in README.Debian
   * Added files to index and search the Debian documentation: search-debiandoc, swish-debiandoc
   * Added quotes to the _pdf2html.pl filter. Closes: #357239
   * Added new debconf templates translations. Closes: #381853, #381676
   * Added swish-mail for improved Maildir indexing. Depends on hypermail.
   * Added the man pages for swish.cgi and search.cgi
Files: 
 6f7ac154fbb6aed886c0f6dd776da1de 644 web optional swish-e_2.4.3-5.dsc
 95d510440511260263fdb8eb11f1fce1 12361 web optional swish-e_2.4.3-5.diff.gz
 b3d2810272429fabd48cd0e12688a2fe 819844 web optional swish-e_2.4.3-5_i386.deb
 6e3d94b5e038336357ca42c040447768 130558 web optional swish-e-dev_2.4.3-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFCbUFsRlQAP1GppgRApcmAJ9SXkBHsLbc9l9dqLMdHTG8QZCtMACfVOPj
AsWJIKFLg59/BvgdKTQYMQk=
=xWiL
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 07:28:59 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 08:51:39 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.