web interface allows to run arbitrary commands on host

darogan / ParticleStats

ParticleStats: Open source software for the analysis of intracellular particle motility and cytoskeletal polarity

GNU General Public License v3.0

0 stars 1 forks source link

web interface allows to run arbitrary commands on host #11

Open carandraug opened 8 years ago

carandraug commented 8 years ago

it uses backticks instead of system() with a list of arguments in order to collect output
it uses the same filenames as the ones uploaded (I'm guessing it makes more sense to interpret)
only removes slashes from the filename

The above means that a file named foo $(do something bad).xls will do something bad. Limited to what the user that runs the cgi script can do.

darogan commented 8 years ago

Would IPC::Open2 solve this too #12 ?

carandraug commented 8 years ago

It can solve the problem. You will need to call it avoiding the shell (by passing a list of arguments instead of a command string) as you would when using system. I believe this only works reliably on Unix systems though --- in Windows the arguments often end up being concatenated anyway (which is not an issue since the web interface already does not work in Windows).

carandraug commented 8 years ago

Are you still planning on fixing this?

darogan commented 8 years ago

Yes, but I'm pretty snowed under at the moment. Would be a week or two at the earliest.

carandraug commented 8 years ago

That's ok., we are in no hurry. We can use it internally in the mean time.

carandraug commented 7 years ago

ping

darogan commented 7 years ago

@carandraug I have set up a managed web service (with advanced monitoring and quarantine facilities) server here at the University of Cambridge to host particlestats. The new url will be http://particlestats.trophoblast.cam.ac.uk but will be a week or so before I can set up ParticleStats to run there.