fedora 25
shell weakness #12

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

inventor/apps/samples/widgets/MyFileRead.c++

Context:

The highlighted line of code below is the trigger point of this particular Fedora 25 shell weakness.

 // Returns a pipe to read data from if conversion was successful.
// That pipe is NULL if the conversion failed.
// This uses routeprint to perform the conversion via FTR rules.
// It will fail gracefully if routeprint and/or the FTR database don't exist.
//
static FILE *
convertToInventor(const char *filename)
//
////////////////////////////////////////////////////////////////////////
{
#define BUFSIZE 512
#define destinationFileType "Inventor2.1File"

    char routeprintCmd[BUFSIZE];
    char conversionCmd[BUFSIZE];
    FILE *pipeFile;
    FILE *ivDataPipe = NULL;
    
    // Use routeprint to figure out how to convert to Inventor format
    sprintf(routeprintCmd, "/usr/sbin/routeprint -d %s %s 2> /dev/null",
	    destinationFileType, filename);

    // routeprint will return a conversion command which we can
    // then execute to convert the file.
    if (NULL != (pipeFile = popen(routeprintCmd, "r"))) {
	// read the command, which may be garbage: check return code
	(void) fgets(conversionCmd, BUFSIZE, pipeFile);
	// use pclose to check the return code of routeprint:
	// you have to check for non-zero return before executing conversionCmd
	if (0 != pclose(pipeFile)) {
	    // Failed!
	    return ivDataPipe;
	}
	// Now try to execute the actual conversion.
	// If conversion is successful, we can read from the data pipe.
	// If not, the data pipe will be NULL: which is our return code.
	ivDataPipe = popen(conversionCmd, "r");
    } 
    
    return ivDataPipe;
}

/////////////////////////////////////////////////////////////////////////////
//
// Read all objects from the given file and return under one separator.
//
SoSeparator *
MyFileRead(const char *filename, SbString &errorMessage)
//
///////////////////////////////////////////////////////////////////////////// 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.