Date: Fri, 25 Jan 2019 11:34:57 +0000 From: bugzilla-noreply@freebsd.org To: rc@FreeBSD.org Subject: [Bug 235185] www/fcgiwrap: environment should be cleaned in /usr/local/etc/rc.d/fcgiwrap Message-ID: <bug-235185-20181-UHNvk5zcwV@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-235185-20181@https.bugs.freebsd.org/bugzilla/> References: <bug-235185-20181@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235185 --- Comment #8 from Rodney W. Grimes <rgrimes@FreeBSD.org> --- (In reply to vas from comment #6) I do not think "at present" that has any effect, as I can not find any place that service(8) actually does sanatize the environment, but I may of missed it in my 3 minute scan of that /bin/sh script. Either way, I do now fully support that the package specific rc.d/fcgiwrap script should do a env -i when it invokes this binary due to its potential for being a exfiltration point. Do note that the author of this program is aware of the fact that it can expose its environment and actually has an internal blacklist of env variables, so to me it appears as if the exporting is by design and intentional and the novice user running printenv in a cgi script started by this program has loaded the gun and pulled the trigger. (In reply to vas from comment #7) Realize that if you sanitize the environment in a generic way in the "foo" init system you remove the ability of the system admin to use the environment to effect anything that is started, and that would probably be a larger and painful problem to solve. -- You are receiving this mail because: You are on the CC list for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-235185-20181-UHNvk5zcwV>