Tuesday, January 02, 2018

Re: drop man2web

Hi,

Jan Stary wrote on Tue, Jan 02, 2018 at 01:03:17AM +0100:

> With mandoc in base, does anyone use www/man2web?

I had a quick look at the code.

* doc/README.OpenBSD says:

You will have to disable chroot, of course. See
http://www.openbsd.org/faq/faq10.html#httpdchroot
for more information on this.

That is quite scary, and the link is of course dead.

* doc/README.OpenBSD also says:

--with-manpath=/usr/X11/man/:/usr/X11R6/man/:/usr/contrib/man/: \
/usr/local/man/:/usr/share/man:/usr/contrib/man:/usr/gnu/man

That is scary, too: It suggests serving the system manuals
on the web(!) - rather than serving a dedicated tree as it should.
It is also completely wrong, suggesting several non-existent
paths, and very sloppy, including a duplicate of one of the
non-existent paths.

* src/output_man.c uses popen(3) to spawn the man(1) found in the
system search path in the root file system of the machine.
When appending user supplied input received over the wire,
IT DOES NO VALIDATION OR SANITATION WHATSOEVER, not even guarding
against shell metacharacters in the arguments appended to the
string passed to popen(3). ARBITRARY REMOTE CODE EXECUTION
is trivial for an attacker.

* src/mystrings.c, which contains utilities employed all over
the place, is essentially based on strcpy(3) and strcat(3).

* It runs man(1) in whatever the default output mode is (-Tlocale
on OpenBSD) and src/output_man.c contains ridiculously
complicated hand-rolled code to translate backspace-encoding
to HTML. I'd be quite surprised if that code would be correct.

* It writes all output inside <PRE> tags, and all markup is
entirely heuristic, no structural processing capabilities
whatsoever.

* It looks like ISO-LATIN encoding is hardcoded (not quite sure),
in any case i don't see any indication of UTF-8 support.

So, this is a web application using the most dangerous idioms
in the book, not even attempting the most trivial security practices,
technically utterly outdated even in respects not related to security,
and very sloppy throughout on top of all that. *Of course* you
have to disable chroot. Rrright.

To summarize, i strongly support the deletion of this nightmarish
thing.

Yours,
Ingo

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)