web interface allows to run arbitrary commands on host

[carandraug]

1. it uses backticks instead of system() with a list of arguments in order to collect output
2. it uses the same filenames as the ones uploaded (I'm guessing it makes more sense to interpret)
3. only removes slashes from the filename

The above means that a file named foo $(do something bad).xls will do something bad. Limited to what the user that runs the cgi script can do.

[darogan]

Would IPC::Open2 solve this too #12 ?

[carandraug]

It can solve the problem. You will need to call it avoiding the shell (by passing a list of arguments instead of a command string) as you would when using system. I believe this only works reliably on Unix systems though --- in Windows the arguments often end up being concatenated anyway (which is not an issue since the web interface already does not work in Windows).

[carandraug]

Are you still planning on fixing this?

[darogan]

Yes, but I'm pretty snowed under at the moment. Would be a week or two at the earliest.

[carandraug]

That's ok., we are in no hurry. We can use it internally in the mean time.

[carandraug]

ping

[darogan]

@carandraug I have set up a managed web service (with advanced monitoring and quarantine facilities) server here at the University of Cambridge to host particlestats. The new url will be http://particlestats.trophoblast.cam.ac.uk but will be a week or so before I can set up ParticleStats to run there.