[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Chicken-announce] [SECURITY] Incomplete escaping in qs procedure may le

From: Peter Bex
Subject: [Chicken-announce] [SECURITY] Incomplete escaping in qs procedure may lead to arbitrary shell code execution
Date: Sun, 21 Apr 2013 15:44:51 +0200
User-agent: Mutt/

Hello Chicken users,

It was discovered that the "qs" procedure from the "utils" module
performs incomplete escaping.  On Windows (mingw32), this procedure
quoted the string but did not escape embedded quote characters.
On Unix, this procedure did not escape the pipe character.  On both
systems, the procedure simply copied NULL characters in the input string
to the output string.  This last detail is less important, because all
procedures which pass the string to the shell contain a check for NUL

Furthermore, this procedure relied on a blacklist of "special" shell
characters, which is considered bad practice as it is too easy to forget
a character and some shells have different rules as to which characters
are special.

What all this means in practice is that an attacker-supplied filename
or any other program argument can lead to arbitrary shell code execution
through OS command injection, which is exactly what qs intends to prevent.

This bug is present in all versions of CHICKEN prior to revision
58684f69572453acc6fed7326fa9df39be98760e, in which it was fixed by
switching to a whitelist approach on Unix and escaping quotes on Windows.
CHICKEN 4.9.0 will include this fix.

The best workaround for this problem for older Chicken versions is to
avoid calling out to the shell.  Instead, you can rely on the
PROCESS-EXECUTE procedure from the posix module, or use the safe
multi-argument version of the PROCESS[*] procedures, also from the posix
module.  If you require the shell's easy pipeline and redirection
capabilities, you can use the scsh-process egg which uses PROCESS-EXECUTE
under the hood.

You can also update to master 58684f69572453acc6fed7326fa9df39be98760e or
apply the patch at

Many thanks to Florian Zumbiehl for pointing out the problem and
providing the initial patch.

Kind regards,

reply via email to

[Prev in Thread] Current Thread [Next in Thread]