alpine 3.6
shell weakness #94

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

fcgi/src/fcgi-2.4.0/libfcgi/fcgi_stdio.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 shell weakness.

 
#ifdef _WIN32
#define DLLAPI  __declspec(dllexport)
#endif

#include "fcgiapp.h"
#include "fcgios.h"
#include "fcgimisc.h"

#define NO_FCGI_DEFINES
#include "fcgi_stdio.h"
#undef NO_FCGI_DEFINES

#ifndef _WIN32

extern char **environ;

#ifdef HAVE_FILENO_PROTO
#include <stdio.h>
#else
extern int fileno(FILE *stream);
#endif

extern FILE *fdopen(int fildes, const char *type);
extern FILE *popen(const char *command, const char *type);
extern int pclose(FILE *stream);

#else /* _WIN32 */

#define popen _popen
#define pclose _pclose

#endif /* _WIN32 */

FCGI_FILE _fcgi_sF[3];


/*
 *----------------------------------------------------------------------
 *
 * FCGI_Accept --
 *
 *      Accepts a new request from the HTTP server and creates
 *      a conventional execution environment for the request.
 *
 *      If the application was invoked as a FastCGI server,
 *      the first call to FCGI_Accept indicates that the application
 *      has completed its initialization and is ready to accept
 *      a request.  Subsequent calls to FCGI_Accept indicate that
 *      the application has completed its processing of the 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.