Xref: utzoo news.admin:4207 news.sysadmin:1865 comp.mail.uucp:2480
Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!ukma!rutgers!deimos!cseg!dws
From: dws@cseg.uucp (David W. Summers)
Newsgroups: news.admin,news.sysadmin,comp.mail.uucp
Subject: Re: Dangerous hole in Usenet!
Summary: Please tell me what is wrong with this?
Keywords: maps unpacking unshar security hole
Message-ID: <1381@cseg.uucp>
Date: 8 Dec 88 01:24:39 GMT
References: <1971@van-bc.UUCP> <572@comdesign.CDI.COM> <5517@medusa.cs.purdue.edu> <157@ecicrl.UUCP>
Organization: College of Engineering, University of Arkansas, Fayetteville
Lines: 55

In article <157@ecicrl.UUCP>, clewis@ecicrl.UUCP (Chris Lewis) writes:
> [ deleted ] 
> Getting back for a moment to map unpacking - I think that the point has
> been well made about automatic map unpacking being unsafe unless you use
> uuhosts or something similar.  It was rather funny seeing the "but I'm
> safe because I use unshar" remarks, and then later those same people finding
> out that their unshar is *probably*  (you get that?  "probably" - there are
> literally hundreds of versions of unshar out there - don't flame me if
> you happen to have one of the one or two that doesn't use /bin/sh) extremely
> unsafe.
> 
> I still think it would be a really good idea to come up with a new
> format for map postings, so that we don't have to go through this fuss
> about security holes over and over again as new SA's come online and 
> use the easy way out.  As expressed by Scot Wilcoxon (datapg!sewilco) [...]

   That is a good idea, but what is wrong with the this?
================================================================================
#! /bin/sh
#This program un-archives the map info and stores it in the map directory.
cd /usr2/netnews/maps
sed -e '1,/^echo/d' -e '/^SHAR_EOF/,$d' |
(
  read CAT IN TERMINATOR OUT FILENAME
  if [ "$CAT" != cat -o "$IN" != '<<' -o "$TERMINATOR" != \'SHAR_EOF\' -o "$OUT" != '>' ]
     then
     echo "$0: bad shar format."
     echo "First line after echo is:"
     echo "$CAT $IN $TERMINATOR $OUT $FILENAME"
     echo Map file ignored.
     exit
   else
     cat >./`basename $FILENAME`
  fi
)
================================================================================

  The program doesn't use 'sh', and no-one can force the file into another
directory because of the 'basename' command as it is put into the maps
directory.  Can anyone find something wrong with this so I can improve it even
more?

   Thanks to who-ever provided much of this script....I was using 'sed' and 
'sh' until your script came along and I decided to protect myself as much as
is resonable.

   The main thing that I can see wrong is that someone could still corrupt the
map up-stream of my site, but since I'm only 2-3 sites away from 'rutgers' I
don't consider this too much of a problem.

   Any comments or suggestions appreciated.

     - David Summers
       (dws@cseg.uucp)
       (..!ksuvax1!harry!hcx!cseg!dws)