| ||||||||||||||||||||||||||||||||||||||
apache: privilege escalation
(Log in to post comments)
apache: privilege escalation Posted Jun 28, 2012 9:49 UTC (Thu) by rwmj (subscriber, #5474) [Link]
Why should empty elements of paths mean "use random stuff from the current directory"? It means when you write:
export LD_LIBRARY_PATH=/somedir:$LD_LIBRARY_PATH
that you've accidentally introduced a security bug.
I emailed Ulrich Drepper about the security-hostile behaviour of LD_LIBRARY_PATH back in 2000. He rejected the change then. I'm not happy to see that it's still causing security holes 12 years later.
apache: privilege escalation Posted Jun 28, 2012 11:40 UTC (Thu) by nix (subscriber, #2304) [Link]
Agreed. It *is* the standard behaviour of PATH-searching programs to consider an empty element to mean '.', but nobody seems to expect it: I've encountered empty elements half a dozen times now, and in each case the person who introduced it did so accidentally, thought an empty element would be skipped, and didn't realise the consequences.
Perhaps some (really crappy) code out there is depending on this behaviour. Let it break, I say. (Oddly Uli was happy to say 'let it break' about much more significant bodies of code at times.)
|
||||||||||||||||||||||||||||||||||||||