[mythtv-users] User jobs - bash way to handle spaces in title ?

Mon Jun 26 20:46:15 UTC 2006

On 6/26/06, Peter Watkins <peterw at tux.org> wrote:
>
> Jerry Bett wrote:
> > This may be more of a bash question than a myth question ... if so,
> > forgive me.
> >
> > I have a user job  that encodes shows for my Palm TX ... run as :
> >
> >             palmencode $FILE% "$TITLE%" "%SUBTITLE%"
> >
> >  'palmencode' is a bash script inputing the command line as $1, $2 and
> $3
>
> > How can one get the full title with spaces and other special characters
> ?
>
> Eek. When you find a decent fix for this, update
> http://www.mythtv.org/wiki/index.php/User_Jobs
>
> This looks like a likely security problem; what happens if someone at
> the organization providing your listings decides to publish a subtitle
> like
>   x;#";#';touch /tmp/coulda-done-anything
> Would Myth then cause "touch /tmp/coulda-done-anything" to run? Does
> Myth have anything like Wietse Venema's safe_finger character scrubber?
>
> I think the best approach with the current features would be to only
> pass a variable that should only have safe chars like %FILE% to some
> wrapper script. The wrapper script would get the other details from
> MySQL, and would scrub each variable extracted from MySQL before calling
> palmencode. It's technically possible to safely call palmencode with
> arbitrary data, e.g. in Perl, you can pass multiple args to an app with
> system() by passing multiple arguments to system() like
> system("/path/to/palmencode",$file,$title,$subtitle) should lead to
> palmencode properly reading the input -- but I would not assume that
> palmencode and the apps it calls can handle arbitrary strings. All too
> often, Unix/Linux scripts and apps expect to be passed "safe" args.
>
> Another approach would be to make a wrapper script and call it with a
> user job like
>    palmencode_wrapper FILE____%FILE% TITLE____%TITLE% SUBTITLE____
> Have palmencode_wrapper build a single string out of all the arguments,
> use the odd ____ prefixes to extract the variables, change whitespace to
> something like "_", scrub them of any characters not known to be OK
> (regexp [^0-9a-zA-Z\.\_\-] ?), and then pass those sanitized args to
> palmencode. This approach should work for most innocent title/subtitle
> values, but it sounds like Myth is letting some shell expansion take
> place, so this wouldn't be a bulletproof workaround.
>
> I don't think you should have to go to that trouble though. IMO, Myth
> should use a "positive"/"white list" filter (allow known good; discard
> other) for those variables (and document the whitelist, so users know
> whether to expect whitespace, for instance). If it doesn't, and my
> 'touch' suggestion really would make that test file, then it's a
> security flaw.
>
> Myth shouldn't bother trying to escape chars with "/", etc. Any app that
> really needs the raw strings should check with the database.
>
> -Peter
>
>
>
>
>
> Peter,

Looks like the problem was self-induced.

I added additional logging to my script, specifically "echo $@  >> $LOG" and
did not see any quotes around the TITLE/SUBTITLE values.

Checking mythtv-setup again I found the quotes missing ...instead of
"$TITLE" i
only had $TITLE.  I know I added them ... no idea why they were missing.

Anyway ... looks like it's working now.

As far as security, the $TITLE & $SUBTITLE is used as the filename of the
new
palm file, ie    $OUTFILE=$TITLE"-"$SUBTITLE".avi" .

The final command for the script is   cp TEMPFILE $OUTFILE .    I'm curious
as
to whether a malicious $TITLE could be used and will check it out.

Thanks for the info !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mythtv.org/pipermail/mythtv-users/attachments/20060626/a03f16ed/attachment.htm 