oetiker
commented
11 years ago [human] Reported by thomas.pollet@gmail.com
Open oetiker opened 11 years ago
oetiker
commented
11 years ago [human] Reported by thomas.pollet@gmail.com
oetiker
commented
11 years ago [oetiker] to expose --imageinfo via a webapplication is NOT a good idea ... as it's argument is passed on the printf (as stated in the documentation)... so the content of the argument MUST be sanitised by the webapplication prior to passing it to rrdtool (printf is a sharp knife!).
if you are interested in pushing that sanitization step to rrdtool, I'll be happy to add a patch, but at the same time, you might have to add other measures as well, like some means for preventing rrdtool from overwriting files on the system if someone deams to expose the path of the rrd file created via a web application ... could be quite a tricky thing.
thomaxxl
commented
11 years ago Hi,
This format string bug also lives in the python module
python -c "import rrdtool rrdtool.graph('/tmp/out.png','-f','%s%s%n%n')" Segmentation fault
oetiker
commented
11 years ago this 'bug' lives wherever you can access -f or --imageinfo ... as mentioned earlier. This is in the nature of printf type interfaces ... if you want to write a parser for the format string to make sure it is valid prior to handing it to sprintf, I will be glad to include this in the next version of rrdtool. This will also take care of the python module automatically.
Hi,
rrdtool graph -f accepts a format string to be used by printf. This approach creates a security issue in situations where an attacker is able to control the format string. I know at least one web application that passes user supplied strings to rrdtool. Can you fix this please.