rackup security issue with params and CGI scripts

10 views
Skip to first unread message

Sam Roberts

unread,
Mar 11, 2009, 4:49:27 PM3/11/09
to rack-...@googlegroups.com
I have difficulty finding a good CGI spec, but it appears that when
query params does not contain an = sign, at least, the query params
are tokenized, and passed as the ARGV of the CGI script.

I found this after much head scratching wherein:

http://example.com/rackup?a=b

would work, but

http://example.com/rackup?ab

would error (server 500), because instead of looking for config.ru,
rackup would look for "ab" as the rackup file.

This allows arbitrary execution of ruby files on the host:

http://example.com/rackup?-r/tmp/root-me

I can't find the decoding rules, but it might also be possible to do:

http://example.com/rackup?-earbitrary-ruby-code

I suggest that ARGV not be used for options parsing if rackup is being
executed as a CGI handler.

Cheers,
Sam

Christian Neukirchen

unread,
Mar 11, 2009, 7:34:10 PM3/11/09
to rack-...@googlegroups.com
Sam Roberts <vieu...@gmail.com> writes:

> I suggest that ARGV not be used for options parsing if rackup is being
> executed as a CGI handler.

Nice find. Probably not a good idea to use rackup for CGI starting
(It never was meant to).

--
Christian Neukirchen <chneuk...@gmail.com> http://chneukirchen.org

Christian Neukirchen

unread,
Mar 11, 2009, 7:35:15 PM3/11/09
to rack-...@googlegroups.com
Sam Roberts <vieu...@gmail.com> writes:

> I have difficulty finding a good CGI spec, but it appears that when
> query params does not contain an = sign, at least, the query params
> are tokenized, and passed as the ARGV of the CGI script.

Which web server, btw?

Sam Roberts

unread,
Mar 11, 2009, 8:14:46 PM3/11/09
to rack-...@googlegroups.com
On Wed, Mar 11, 2009 at 4:34 PM, Christian Neukirchen
<chneuk...@gmail.com> wrote:
> Probably not a good idea to use rackup for CGI starting
> (It never was meant to).

Well, rackup contains code to recognize when it is being run as CGI,
and to use the CGI handler.

What other purpose could this code have if not to support rackup to be
run as a CGI script?

Btw, found some information on this behaviour:

http://hoohoo.ncsa.uiuc.edu/cgi/cl.html

It's Apache, not sure what version, whatever is default at webfaction.com.

Sam

Christian Neukirchen

unread,
Mar 11, 2009, 8:31:46 PM3/11/09
to rack-...@googlegroups.com
Sam Roberts <vieu...@gmail.com> writes:

> What other purpose could this code have if not to support rackup to be
> run as a CGI script?

Good point. ;)

I actually didn't know that argv feature. Let's clear ARGV when on
CGI, and only apply #\-lines.

Christian Neukirchen

unread,
Mar 11, 2009, 8:36:38 PM3/11/09
to rack-...@googlegroups.com
Sam Roberts <vieu...@gmail.com> writes:

> I suggest that ARGV not be used for options parsing if rackup is being
> executed as a CGI handler.

Please review and test
http://github.com/chneukirchen/rack/commit/d6d0c388ff5aa3b0e43359ec400d8238f23ed1df

Sam Roberts

unread,
Mar 12, 2009, 11:58:19 PM3/12/09
to rack-...@googlegroups.com
On Wed, Mar 11, 2009 at 5:36 PM, Christian Neukirchen
<chneuk...@gmail.com> wrote:
> Please review and test
> http://github.com/chneukirchen/rack/commit/d6d0c388ff5aa3b0e43359ec400d8238f23ed1df

Looks good, that's exactly what I did.

Cheers,
Sam

Reply all
Reply to author
Forward
0 new messages