[mythtv-commits] Ticket #4647: Make mythbookmarkmanager pass valid command line to myth_system()
MythTV
mythtv at cvs.mythtv.org
Tue Feb 12 19:10:27 UTC 2008
#4647: Make mythbookmarkmanager pass valid command line to myth_system()
--------------------------------------+-------------------------------------
Reporter: amb at gedanken.demon.co.uk | Owner: ijr
Type: patch | Status: new
Priority: major | Milestone: unknown
Component: mythbrowser | Version: head
Severity: high | Mlocked: 0
--------------------------------------+-------------------------------------
The mythbookmarkmanager plugin passes an invalid command line to the
myth_system() function. There can be unescaped shell characters passed in
which then gets passed straight to the command line. If a URL is
something like http ://a.site/path?arg1=1&arg2=2&arg3=3 then the '&'
character is not protected from the shell.
This patch just fixes the non-security related problems by quoting the '&'
and ';' characters. This is not sufficient for a full fix for the problem
but it fixes normal usage. A proper fix should go into myth_system() in
mythlib/utils.cpp.
Unless proven otherwise failure to escape shell characters should be
considered a security problem. Any command can be stored in the bookmark
by typing it in so this allows for any shell command to be run as the same
user as mythbrowser. This is why it is marked as major priority and high
severity - feel free to analyse the security implications and downgrade if
necessary.
--
Ticket URL: <http://svn.mythtv.org/trac/ticket/4647>
MythTV <http://svn.mythtv.org/trac>
MythTV
More information about the mythtv-commits
mailing list