oss-sec mailing list archives

Re: wordexp(3)

From: Rich Felker <dalias () libc org>
Date: Tue, 10 Feb 2015 12:57:05 -0500

On Tue, Feb 10, 2015 at 08:27:56PM +0300, Solar Designer wrote:

Hi,

I found this curious and relevant to this list, off Twitter:

(x250) <%worr> RT @FioraAeterna: oh my gosh, Apple's libc literally implements "wordexp" by shelling out to perl: 
https://github.com/Apple-FOSS-Mirror/Libc/blob/2ca2ae74647714acfc18674c3114b1a5d3325d7d/gen/wordexp.c#L192

<worr> So yesterday, @FioraAeterna tweeted this: 
https://github.com/Apple-FOSS-Mirror/Libc/blob/2ca2ae74647714acfc18674c3114b1a5d3325d7d/gen/wordexp.c#L192. I've 
decided to take a tour of wordexp(3) implementations
<@worr> They can't all be that bad
(x2) <@worr> NetBSD and FreeBSD both use a sh builtin to implement wordexp(3): 
http://svnweb.freebsd.org/base/head/lib/libc/gen/wordexp.c?revision=254977&view=markup 
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gen/wordexp.c?rev=1.3&content-type=text/x-cvsweb-markup&only_with_tag=MAIN
(x5) <@worr> OpenBSD wins the wordexp(3) contest, by refusing to implement it altogether.
<@worr> Correction: glibc implements a huge recursive descent parser, and only shells out when it needs to do 
subshell expansions.
<@worr> tbh, wordexp(3) is an antifeature. Maybe even a misfeature.
<@worr> Here's the implementation, btw: 
https://sourceware.org/git/?p=glibc.git;a=blob;f=posix/wordexp.c;h=26f3a2653feba2b1a5904937d9d6b58c32109e24;hb=a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c#l872
<@worr> Continuing on my tour of wordexp(3) implementations, here's Illumos': 
https://github.com/joyent/illumos-joyent/blob/master/usr/src/lib/libc/port/regex/wordexp.c#L218-L290 It constructs a 
small shell script and runs it


POSIX is explict that the wordexp interface is designed such that
invoking a shell is one valid implementation choice. My view on all
this is that pretty much anything wordexp-related is not CVE-worthy;
wordexp simply is not a proper tool to be using in programs dealing
with untrusted inputs -- either untrusted input strings, or untrusted
environment contents. Obviously implementations using /bin/sh were
vulnerable to shellshock on systems where /bin/sh is bash.

Rich

Current thread:

wordexp(3) Solar Designer (Feb 10)
- Re: wordexp(3) Rich Felker (Feb 10)
  - Re: wordexp(3) Rich Felker (Feb 10)
  - Re: wordexp(3) John Haxby (Feb 11)
- Re: wordexp(3) Stuart Henderson (Feb 11)
  - Re: wordexp(3) Florian Weimer (Feb 11)
    - Re: wordexp(3) Tim (Feb 11)
    - Re: wordexp(3) Daniel Micay (Feb 11)