Bug #31738 for IPC-Cmd: Systems using IPC::Open3 with IPC::Cmd are not actually safe

Wed Dec 19 22:20:43 2007 mkanat [...] cpan.org - Ticket created

Subject:

Systems using IPC::Open3 with IPC::Cmd are not actually safe

Examine the difference in output between these two commands: perl -MIPC::Cmd=run -e '$IPC::Cmd::VERBOSE=1; $IPC::Cmd::USE_IPC_OPEN3=1;run(command => ["echo", "hello", ";cat /etc/passwd;"])' and: perl -MIPC::Cmd=run -e '$IPC::Cmd::VERBOSE=1; $IPC::Cmd::USE_IPC_RUN=1;run(command => ["echo", "hello", ";cat /etc/passwd;"])' The first one dumps /etc/password, the second does what I expect IPC::Cmd to do from its documentation.

Sun Jan 27 11:20:15 2008 kane [...] cpan.org - Correspondence added

On Wed Dec 19 22:20:43 2007, MKANAT wrote: Show quoted text

> Examine the difference in output between these two commands: > > perl -MIPC::Cmd=run -e '$IPC::Cmd::VERBOSE=1; > $IPC::Cmd::USE_IPC_OPEN3=1;run(command => ["echo", "hello", ";cat > /etc/passwd;"])' > > and: > > perl -MIPC::Cmd=run -e '$IPC::Cmd::VERBOSE=1; > $IPC::Cmd::USE_IPC_RUN=1;run(command => ["echo", "hello", ";cat > /etc/passwd;"])' > > The first one dumps /etc/password, the second does what I expect > IPC::Cmd to do from its documentation.

I can't reproduce this: $ perl -MIPC::Cmd=run -e '$IPC::Cmd::VERBOSE=1;$IPC::Cmd::USE_IPC_OPEN3=1;run(command => ["echo", "hello", ";cat /etc/passwd;"])' Running [echo hello ;cat /etc/passwd;]... hello ;cat /etc/passwd; $ perl -MIPC::Cmd=run -e '$IPC::Cmd::VERBOSE=1;$IPC::Cmd::USE_IPC_RUN=1;run(command => ["echo", "hello", ";cat /etc/passwd;"])' Running [echo hello ;cat /etc/passwd;]... hello ;cat /etc/passwd; What versions of perl, IPC::Cmd, IPC::Run and IPC::Open3 are you using?

Sun Jan 27 11:20:16 2008 The RT System itself - Status changed from 'new' to 'open'

Sun Jan 27 11:20:17 2008 kane [...] cpan.org - Status changed from 'open' to 'stalled'

Sun Jan 27 11:37:30 2008 mkanat [...] cpan.org - Correspondence added

From:

mkanat [...] cpan.org

On Sun Jan 27 11:20:15 2008, KANE wrote: Show quoted text

> I can't reproduce this: > [snip]

Hrm, interesting! Yeah, the same strings still reproduce it for me. Show quoted text

> What versions of perl, IPC::Cmd, IPC::Run and IPC::Open3 are you > using?

I'm on Perl 5.8.8, IPC::Cmd 0.40, and IPC::Open3 1.02.

Sun Jan 27 11:37:31 2008 The RT System itself - Status changed from 'stalled' to 'open'

Sun Jan 27 14:13:59 2008 kane [...] xs4all.nl - Correspondence added

Subject:	Re: [rt.cpan.org #31738] Systems using IPC::Open3 with IPC::Cmd are not actually safe
Date:	Sun, 27 Jan 2008 20:13:43 +0100
To:	bug-IPC-Cmd [...] rt.cpan.org
From:	"Jos I. Boumans" <kane [...] xs4all.nl>

On Jan 27, 2008, at 5:37 PM, Max Kanat-Alexander via RT wrote: Show quoted text

> > Queue: IPC-Cmd > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=31738 > > > On Sun Jan 27 11:20:15 2008, KANE wrote:

>> I can't reproduce this: >> [snip]

> > Hrm, interesting! Yeah, the same strings still reproduce it for me.

Then it's related to particularly the output of *your* gzip.exe. To be able to debug this, i'd need to have a copy of that executable (does it run standalone) or at least the full output you get when running the command. Thanks, -- Jos Boumans From kid's Superman costume for Halloween (stitched into the cape's tag) -- "Warning: Use of This Device Does Not Enable Wearer To Fly." CPANPLUS http://cpanplus.sf.net

Sun Jan 27 14:18:25 2008 mkanat [...] cpan.org - Correspondence added

On Sun Jan 27 14:13:59 2008, kane@xs4all.nl wrote: Show quoted text

> Then it's related to particularly the output of *your* gzip.exe.

Hrm, my gzip? Is that somehow related to Open3, or did you accidentally comment on the wrong ticket? I'm using Fedora 8, so it would be whatever is there, in case this wasn't a "wrong ticket" comment. It's almost certainly dynamically linked. -Max

Sun Jan 27 15:09:36 2008 kane [...] cpan.org - Correspondence added

On Sun Jan 27 14:18:25 2008, MKANAT wrote: Show quoted text

> On Sun Jan 27 14:13:59 2008, kane@xs4all.nl wrote:

> > Then it's related to particularly the output of *your* gzip.exe.

> > Hrm, my gzip? Is that somehow related to Open3, or did you > accidentally comment on the wrong ticket?

Sorry, wrong ticket indeed -- my bad. Show quoted text

> I'm using Fedora 8, so it > would be whatever is there, in case this wasn't a "wrong ticket" > comment. It's almost certainly dynamically linked.

I'm using the same configuration as you, and I can't reproduce it on OSX: perl 5.8.8, IPC::Open3 1.02, IPC::Cmd 0.40 However, I get the same behaviour as you described when trying this on a debian sarge machine. This will need some more investigation.... -- Jos

Mon Jul 28 21:25:33 2008 mkanat [...] cpan.org - Correspondence added

On Sun Jan 27 15:09:36 2008, KANE wrote: Show quoted text

> However, I get the same behaviour as you described when trying this on > a debian sarge machine. This will need some more investigation....

Hey Jos. You ever figure this out?

Thu Sep 18 08:53:27 2008 kane [...] cpan.org - Correspondence added

On Mon Jul 28 21:25:33 2008, MKANAT wrote: Show quoted text

> On Sun Jan 27 15:09:36 2008, KANE wrote:

> > However, I get the same behaviour as you described when trying this on > > a debian sarge machine. This will need some more investigation....

> > Hey Jos. You ever figure this out?

Actually, I did not -- the sarge server i had access to got upgraded to etch, and now all hosts (debian or not), behave the way they should with either perl 5.8 or 5.10 and IPC::Cmd 0.41_01 and IPC::Open3 1.02. Quite honestly, I'm stumped on to what happened and what fixed it.. :(

Thu Sep 18 08:53:29 2008 kane [...] cpan.org - Status changed from 'open' to 'stalled'

Fri Oct 03 09:35:43 2008 mkanat [...] cpan.org - Correspondence added

On Thu Sep 18 08:53:27 2008, KANE wrote: Show quoted text

> Actually, I did not -- the sarge server i had access to got upgraded to > etch, and now all hosts (debian or not), behave the way they should with > either perl 5.8 or 5.10 and IPC::Cmd 0.41_01 and IPC::Open3 1.02. > > Quite honestly, I'm stumped on to what happened and what fixed it.. :(

Hmm. I can still reproduce it completely on my Fedora 9 system: [mkanat@es-lappy ~]$ rpm -q perl-IPC-Cmd perl-IPC-Cmd-0.40-33.fc9.i386 [mkanat@es-lappy ~]$ rpm -q perl perl-5.10.0-33.fc9.i386 [mkanat@es-lappy ~]$ rpm -q perl-IPC-Cmd perl-IPC-Cmd-0.40-33.fc9.i386 [mkanat@es-lappy ~]$ perl -MIPC::Open3 -e 'print IPC::Open3->VERSION' 1.02 Perhaps your debian system has some patches (or my system has some patches) that aren't standard? I recall looking over the Open3 code in IPC::Cmd that this actually *should* happen (though it's still bad), since there's a point at which I think it passes the arguments in some funny way that makes it so that Open3 doesn't use its normal protections.

Fri Oct 03 09:35:47 2008 The RT System itself - Status changed from 'stalled' to 'open'

Thu Dec 04 07:44:33 2008 kane [...] cpan.org - Correspondence added

On Fri Oct 03 09:35:43 2008, MKANAT wrote: Show quoted text

> I recall looking over the Open3 code in IPC::Cmd that this actually > *should* happen (though it's still bad), since there's a point at which > I think it passes the arguments in some funny way that makes it so that > Open3 doesn't use its normal protections.

Ok, if you can point me to that, and how to fix it, that'd be great. The latest release is here: http://search.cpan.org/~kane/IPC-Cmd/lib/IPC/Cmd.pm Thanks,

Thu Dec 04 07:44:45 2008 kane [...] cpan.org - Status changed from 'open' to 'stalled'

Mon Jun 21 20:22:42 2010 mkanat [...] cpan.org - Correspondence added

On Thu Dec 04 07:44:33 2008, KANE wrote: Show quoted text

> The latest release is here: > > http://search.cpan.org/~kane/IPC-Cmd/lib/IPC/Cmd.pm

Ah, okay, I finally got around to investigating this. It turns out that one of the IPC::Cmd releases after I reported this bug actually fixed the problem. It used to do this: $ok = __PACKAGE__->_open3_run( ( ref $cmd ? "@$cmd" : $cmd ), Thus joining all the args. Now it actually properly passes them to _open3_run as an array.

Mon Jun 21 20:22:43 2010 The RT System itself - Status changed from 'stalled' to 'open'

Tue Oct 19 10:31:39 2010 BINGOS [...] cpan.org - Correspondence added 5 min

Closing ticket as problem seems to be resolved.

Tue Oct 19 10:31:40 2010 BINGOS [...] cpan.org - Status changed from 'open' to 'resolved'

Tue Oct 19 10:31:41 2010 BINGOS [...] cpan.org - Given to BINGOS