* Re: bug in search engine [not found] <Pine.BSF.4.58.0310092205520.3841@acrux.dbai.tuwien.ac.at> @ 2003-10-09 20:21 ` Hans-Peter Nilsson 2003-10-09 20:33 ` Christopher Faylor 2003-10-09 20:37 ` Hans-Peter Nilsson 0 siblings, 2 replies; 17+ messages in thread From: Hans-Peter Nilsson @ 2003-10-09 20:21 UTC (permalink / raw) To: Gerald Pfeifer; +Cc: Christopher Faylor, overseers On Thu, 9 Oct 2003, Gerald Pfeifer wrote: > On Thu, 9 Oct 2003, Hans-Peter Nilsson wrote: > > cgf or Gerald, I suggest one of you chmod -x the sourceware > > htsearch too. I'm not root. I can't do it assuming it's the > > one in /www/cgi-bin. > > Given that you're the local htdig expert, I followed your advice: Thanks, but please don't call me htdig expert to my face. :-) I have trouble understanding why getopt can get hold of that "--bar". I can't repeat it on my own; the query with method GET ends up as it should in QUERY_STRING with argc 0 and argv empty. Chris, can I have access to the web logs, please? (They used to be accessible, FWIW.) brgds, H-P ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bug in search engine 2003-10-09 20:21 ` bug in search engine Hans-Peter Nilsson @ 2003-10-09 20:33 ` Christopher Faylor 2003-10-09 20:37 ` Hans-Peter Nilsson 1 sibling, 0 replies; 17+ messages in thread From: Christopher Faylor @ 2003-10-09 20:33 UTC (permalink / raw) To: Hans-Peter Nilsson; +Cc: Gerald Pfeifer, overseers On Thu, Oct 09, 2003 at 04:21:46PM -0400, Hans-Peter Nilsson wrote: >On Thu, 9 Oct 2003, Gerald Pfeifer wrote: >> On Thu, 9 Oct 2003, Hans-Peter Nilsson wrote: >> > cgf or Gerald, I suggest one of you chmod -x the sourceware >> > htsearch too. I'm not root. I can't do it assuming it's the >> > one in /www/cgi-bin. >> >> Given that you're the local htdig expert, I followed your advice: > >Thanks, but please don't call me htdig expert to my face. :-) > >I have trouble understanding why getopt can get hold of that >"--bar". I can't repeat it on my own; the query with method GET >ends up as it should in QUERY_STRING with argc 0 and argv empty. > >Chris, can I have access to the web logs, please? (They used to >be accessible, FWIW.) Grrr... Stupid Red Hat up2date. It keeps setting the permission on the /www/logs directory. It's fixed now. Please let me know if I can do anything else to help. cgf ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bug in search engine 2003-10-09 20:21 ` bug in search engine Hans-Peter Nilsson 2003-10-09 20:33 ` Christopher Faylor @ 2003-10-09 20:37 ` Hans-Peter Nilsson 2003-10-09 20:49 ` Christopher Faylor 1 sibling, 1 reply; 17+ messages in thread From: Hans-Peter Nilsson @ 2003-10-09 20:37 UTC (permalink / raw) To: Gerald Pfeifer; +Cc: Christopher Faylor, overseers On Thu, 9 Oct 2003, Hans-Peter Nilsson wrote: > I have trouble understanding why getopt can get hold of that > "--bar". I can't repeat it on my own; the query with method GET > ends up as it should in QUERY_STRING with argc 0 and argv empty. > > Chris, can I have access to the web logs, please? (They used to > be accessible, FWIW.) Not needed. Anyone: Is it an apache configury thing to give cgi:s the args in argv as well as in QUERY_STRING with method GET? It happens on gcc.gnu.org, but not where I tested first. (A STFW wasn't conclusive.) If so, I suggest shutting that option off and adding a bit warning in httpd.conf (or whereever). I'll fix htdig independently of this. brgds, H-P ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bug in search engine 2003-10-09 20:37 ` Hans-Peter Nilsson @ 2003-10-09 20:49 ` Christopher Faylor 2003-10-09 20:58 ` Christopher Faylor 0 siblings, 1 reply; 17+ messages in thread From: Christopher Faylor @ 2003-10-09 20:49 UTC (permalink / raw) To: Hans-Peter Nilsson; +Cc: Gerald Pfeifer, overseers On Thu, Oct 09, 2003 at 04:37:19PM -0400, Hans-Peter Nilsson wrote: >On Thu, 9 Oct 2003, Hans-Peter Nilsson wrote: >> I have trouble understanding why getopt can get hold of that >> "--bar". I can't repeat it on my own; the query with method GET >> ends up as it should in QUERY_STRING with argc 0 and argv empty. >> >> Chris, can I have access to the web logs, please? (They used to >> be accessible, FWIW.) > >Not needed. Anyone: Is it an apache configury thing to give >cgi:s the args in argv as well as in QUERY_STRING with method >GET? It happens on gcc.gnu.org, but not where I tested first. >(A STFW wasn't conclusive.) Isn't that at the discretion of the form that is used to invoke the cgi? Method="post", maybe? If so, I can fix this easily. cgf ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bug in search engine 2003-10-09 20:49 ` Christopher Faylor @ 2003-10-09 20:58 ` Christopher Faylor 2003-10-09 21:22 ` Gerald Pfeifer 2003-10-09 21:54 ` Hans-Peter Nilsson 0 siblings, 2 replies; 17+ messages in thread From: Christopher Faylor @ 2003-10-09 20:58 UTC (permalink / raw) To: Hans-Peter Nilsson, Gerald Pfeifer, overseers On Thu, Oct 09, 2003 at 04:49:47PM -0400, Christopher Faylor wrote: >On Thu, Oct 09, 2003 at 04:37:19PM -0400, Hans-Peter Nilsson wrote: >>On Thu, 9 Oct 2003, Hans-Peter Nilsson wrote: >>> I have trouble understanding why getopt can get hold of that >>> "--bar". I can't repeat it on my own; the query with method GET >>> ends up as it should in QUERY_STRING with argc 0 and argv empty. >>> >>> Chris, can I have access to the web logs, please? (They used to >>> be accessible, FWIW.) >> >>Not needed. Anyone: Is it an apache configury thing to give >>cgi:s the args in argv as well as in QUERY_STRING with method >>GET? It happens on gcc.gnu.org, but not where I tested first. >>(A STFW wasn't conclusive.) > >Isn't that at the discretion of the form that is used to invoke the cgi? >Method="post", maybe? If so, I can fix this easily. That was it. I'm changing all of the search options to use 'method="post"'. That seems to work correctly. I've turned htsearch back on again. cgf ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bug in search engine 2003-10-09 20:58 ` Christopher Faylor @ 2003-10-09 21:22 ` Gerald Pfeifer 2003-10-09 21:51 ` Christopher Faylor 2003-10-09 21:54 ` Hans-Peter Nilsson 1 sibling, 1 reply; 17+ messages in thread From: Gerald Pfeifer @ 2003-10-09 21:22 UTC (permalink / raw) To: overseers On Thu, 9 Oct 2003, Christopher Faylor wrote: >> Isn't that at the discretion of the form that is used to invoke the cgi? >> Method="post", maybe? If so, I can fix this easily. > That was it. I'm changing all of the search options to use 'method="post"'. > That seems to work correctly. Nice detective work, thanks! > I've turned htsearch back on again. Security-wise this may be premature (if, and only if the problems is exploitable): someone else could craft a form invoking our cgi-bin in the original "bad" way -- and given the problem was mentioned on the public gcc list I'd say there is a non-zero chance for someone trying. Or did I miss anyhing? Gerald -- Gerald Pfeifer (Jerry) gerald@pfeifer.com http://www.pfeifer.com/gerald/ ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bug in search engine 2003-10-09 21:22 ` Gerald Pfeifer @ 2003-10-09 21:51 ` Christopher Faylor 0 siblings, 0 replies; 17+ messages in thread From: Christopher Faylor @ 2003-10-09 21:51 UTC (permalink / raw) To: Gerald Pfeifer; +Cc: overseers On Thu, Oct 09, 2003 at 11:22:32PM +0200, Gerald Pfeifer wrote: >On Thu, 9 Oct 2003, Christopher Faylor wrote: >>> Isn't that at the discretion of the form that is used to invoke the cgi? >>> Method="post", maybe? If so, I can fix this easily. >> That was it. I'm changing all of the search options to use 'method="post"'. >> That seems to work correctly. > >Nice detective work, thanks! > >> I've turned htsearch back on again. > >Security-wise this may be premature (if, and only if the problems is >exploitable): someone else could craft a form invoking our cgi-bin in >the original "bad" way -- and given the problem was mentioned on the >public gcc list I'd say there is a non-zero chance for someone trying. > >Or did I miss anyhing? The problem is fixed by using the post method. I thought that I'd have that fixed in all of the myriad places that this showed up but it is taking *forever*. So, I've turned it off again until this is finished. cgf ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bug in search engine 2003-10-09 20:58 ` Christopher Faylor 2003-10-09 21:22 ` Gerald Pfeifer @ 2003-10-09 21:54 ` Hans-Peter Nilsson 2003-10-09 22:04 ` Christopher Faylor 1 sibling, 1 reply; 17+ messages in thread From: Hans-Peter Nilsson @ 2003-10-09 21:54 UTC (permalink / raw) To: Christopher Faylor; +Cc: Gerald Pfeifer, overseers On Thu, 9 Oct 2003, Christopher Faylor wrote: > On Thu, Oct 09, 2003 at 04:49:47PM -0400, Christopher Faylor wrote: > >On Thu, Oct 09, 2003 at 04:37:19PM -0400, Hans-Peter Nilsson wrote: > >>Not needed. Anyone: Is it an apache configury thing to give > >>cgi:s the args in argv as well as in QUERY_STRING with method > >>GET? It happens on gcc.gnu.org, but not where I tested first. > >>(A STFW wasn't conclusive.) > > > >Isn't that at the discretion of the form that is used to invoke the cgi? Not really. The interesting question is why the apache at bitrange.com (1.3.27) does not pass argv and why it does on gcc/sourceware (2.0.40). What confparam is different between my apache and yours? > >Method="post", maybe? If so, I can fix this easily. > > That was it. I'm changing all of the search options to use 'method="post"'. > That seems to work correctly. Sorry, but that's unimportant and beside the point, as Gerald pointed out. > I've turned htsearch back on again. Please turn it off again. brgds, H-P ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bug in search engine 2003-10-09 21:54 ` Hans-Peter Nilsson @ 2003-10-09 22:04 ` Christopher Faylor 2003-10-09 22:18 ` Hans-Peter Nilsson 0 siblings, 1 reply; 17+ messages in thread From: Christopher Faylor @ 2003-10-09 22:04 UTC (permalink / raw) To: Hans-Peter Nilsson; +Cc: Gerald Pfeifer, overseers On Thu, Oct 09, 2003 at 05:54:53PM -0400, Hans-Peter Nilsson wrote: >The interesting question is why the apache at bitrange.com >(1.3.27) does not pass argv and why it does on gcc/sourceware >(2.0.40). What confparam is different between my apache and >yours? It has to do with how the web page is constructed. <form method="get" action="/cgi-bin/htsearch"> </form> vs. this: <form method="post" action="/cgi-bin/htsearch"> </form> >> >Method="post", maybe? If so, I can fix this easily. >> >> That was it. I'm changing all of the search options to use 'method="post"'. >> That seems to work correctly. > >Sorry, but that's unimportant and beside the point, as Gerald >pointed out. Can you explain how? method="post" tells a web server not to pass things on the command line which seems to be precisely the point. I don't understand why you think fixing this would not solve the problem. This isn't a server configury thing. It's basic html. cgf ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bug in search engine 2003-10-09 22:04 ` Christopher Faylor @ 2003-10-09 22:18 ` Hans-Peter Nilsson 2003-10-10 0:16 ` Christopher Faylor 0 siblings, 1 reply; 17+ messages in thread From: Hans-Peter Nilsson @ 2003-10-09 22:18 UTC (permalink / raw) To: Christopher Faylor; +Cc: Gerald Pfeifer, overseers On Thu, 9 Oct 2003, Christopher Faylor wrote: > On Thu, Oct 09, 2003 at 05:54:53PM -0400, Hans-Peter Nilsson wrote: > >The interesting question is why the apache at bitrange.com > >(1.3.27) does not pass argv and why it does on gcc/sourceware > >(2.0.40). What confparam is different between my apache and > >yours? > > It has to do with how the web page is constructed. > > <form method="get" action="/cgi-bin/htsearch"> > </form> > > vs. this: > > <form method="post" action="/cgi-bin/htsearch"> > </form> The former can be on *any web page or file:///*. Evildoer just adds gcc.gnu.org before the /cgi-bin. > >Sorry, but that's unimportant and beside the point, as Gerald > >pointed out. > > Can you explain how? method="post" tells a web server not to pass > things on the command line which seems to be precisely the point. I > don't understand why you think fixing this would not solve the problem. > This isn't a server configury thing. It's basic html. If you have control over all html everywhere, yes, but we don't. Which puts the focus on the apache conf. brgds, H-P ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bug in search engine 2003-10-09 22:18 ` Hans-Peter Nilsson @ 2003-10-10 0:16 ` Christopher Faylor 0 siblings, 0 replies; 17+ messages in thread From: Christopher Faylor @ 2003-10-10 0:16 UTC (permalink / raw) To: Hans-Peter Nilsson; +Cc: Gerald Pfeifer, overseers On Thu, Oct 09, 2003 at 06:18:43PM -0400, Hans-Peter Nilsson wrote: >On Thu, 9 Oct 2003, Christopher Faylor wrote: >> On Thu, Oct 09, 2003 at 05:54:53PM -0400, Hans-Peter Nilsson wrote: >> >The interesting question is why the apache at bitrange.com >> >(1.3.27) does not pass argv and why it does on gcc/sourceware >> >(2.0.40). What confparam is different between my apache and >> >yours? >> >> It has to do with how the web page is constructed. >> >> <form method="get" action="/cgi-bin/htsearch"> >> </form> >> >> vs. this: >> >> <form method="post" action="/cgi-bin/htsearch"> >> </form> > >The former can be on *any web page or file:///*. Evildoer >just adds gcc.gnu.org before the /cgi-bin. I suppose that in all of the discussion about "confparam" I missed this simple point. ^ permalink raw reply [flat|nested] 17+ messages in thread
* bug in search engine @ 2003-10-09 15:21 Aldy Hernandez 2003-10-09 15:25 ` Paolo Carlini 2003-10-10 3:14 ` Aldy Hernandez 0 siblings, 2 replies; 17+ messages in thread From: Aldy Hernandez @ 2003-10-09 15:21 UTC (permalink / raw) To: overseers, gcc Try to search for... "foo --bar" on either the GCC or the GCC patches search engine. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bug in search engine 2003-10-09 15:21 Aldy Hernandez @ 2003-10-09 15:25 ` Paolo Carlini 2003-10-09 15:32 ` Gerald Pfeifer 2003-10-10 3:14 ` Aldy Hernandez 1 sibling, 1 reply; 17+ messages in thread From: Paolo Carlini @ 2003-10-09 15:25 UTC (permalink / raw) To: Aldy Hernandez; +Cc: overseers, gcc Aldy Hernandez wrote: >Try to search for... "foo --bar" on either the GCC or the GCC patches >search engine. > Funny! Paolo. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bug in search engine 2003-10-09 15:25 ` Paolo Carlini @ 2003-10-09 15:32 ` Gerald Pfeifer 2003-10-09 15:37 ` Aldy Hernandez 0 siblings, 1 reply; 17+ messages in thread From: Gerald Pfeifer @ 2003-10-09 15:32 UTC (permalink / raw) To: overseers, Aldy Hernandez; +Cc: Paolo Carlini, gcc On Thu, 9 Oct 2003, Paolo Carlini wrote: >> Try to search for... "foo --bar" on either the GCC or the GCC patches >> search engine. > Funny! It looks funny, but it might well be exploitable (so it would have been better not to post this to the widely spread gcc list). I have thus completely disabled the whole search engine for now¹ until H-P or someone else has had a closer look. Gerald ¹ chmod a-x htsearch ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bug in search engine 2003-10-09 15:32 ` Gerald Pfeifer @ 2003-10-09 15:37 ` Aldy Hernandez 0 siblings, 0 replies; 17+ messages in thread From: Aldy Hernandez @ 2003-10-09 15:37 UTC (permalink / raw) To: Gerald Pfeifer; +Cc: overseers, Paolo Carlini, gcc > It looks funny, but it might well be exploitable (so it would have been > better not to post this to the widely spread gcc list). Yeah, I realized that 5 seconds after I hit send. Sorry about that. > I have thus completely disabled the whole search engine for now¹ until > H-P or someone else has had a closer look. Thanks. Aldy ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bug in search engine 2003-10-09 15:21 Aldy Hernandez 2003-10-09 15:25 ` Paolo Carlini @ 2003-10-10 3:14 ` Aldy Hernandez 2003-10-10 6:58 ` Hans-Peter Nilsson 1 sibling, 1 reply; 17+ messages in thread From: Aldy Hernandez @ 2003-10-10 3:14 UTC (permalink / raw) To: overseers "foo --bar" is still not working. It searches for "foo bar". The obvious security hole is gone though. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bug in search engine 2003-10-10 3:14 ` Aldy Hernandez @ 2003-10-10 6:58 ` Hans-Peter Nilsson 0 siblings, 0 replies; 17+ messages in thread From: Hans-Peter Nilsson @ 2003-10-10 6:58 UTC (permalink / raw) To: Aldy Hernandez; +Cc: overseers On Thu, 9 Oct 2003, Aldy Hernandez wrote: > "foo --bar" is still not working. It searches for "foo bar". I think you misunderstand the htdig syntax. It's not supposed to search for "foo and --bar" or "foo not bar" by that. > The obvious security hole is gone though. There likely never was one, just a stupid bug. brgds, H-P ^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2003-10-10 6:58 UTC | newest] Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <Pine.BSF.4.58.0310092205520.3841@acrux.dbai.tuwien.ac.at> 2003-10-09 20:21 ` bug in search engine Hans-Peter Nilsson 2003-10-09 20:33 ` Christopher Faylor 2003-10-09 20:37 ` Hans-Peter Nilsson 2003-10-09 20:49 ` Christopher Faylor 2003-10-09 20:58 ` Christopher Faylor 2003-10-09 21:22 ` Gerald Pfeifer 2003-10-09 21:51 ` Christopher Faylor 2003-10-09 21:54 ` Hans-Peter Nilsson 2003-10-09 22:04 ` Christopher Faylor 2003-10-09 22:18 ` Hans-Peter Nilsson 2003-10-10 0:16 ` Christopher Faylor 2003-10-09 15:21 Aldy Hernandez 2003-10-09 15:25 ` Paolo Carlini 2003-10-09 15:32 ` Gerald Pfeifer 2003-10-09 15:37 ` Aldy Hernandez 2003-10-10 3:14 ` Aldy Hernandez 2003-10-10 6:58 ` Hans-Peter Nilsson
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).