[CDRIVER-1953] Escape double quotes in MONGOC_USER_SET_LDFLAGS/CC/CFLAGS Created: 12/Dec/16  Updated: 12/Jan/17  Resolved: 13/Dec/16

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: 1.5.0
Fix Version/s: 1.5.1

Type: Bug Priority: Major - P3
Reporter: Karolin Varner Assignee: Hannes Magnusson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The commit below brakes the build if the user supplied cflags, ldflags or cc contain a double quote.

E.g. if CFLAGS is -I"/usr/include" it would be expanded like this:

#define MONGOC_USER_SET_CFLAGS "@MONGOC_USER_SET_CFLAGS@"
#define MONGOC_USER_SET_CFLAGS "-I"/usr/include""
if (strlen (MONGOC_USER_SET_LDFLAGS) > 0) …
if (strlen ("-I"/usr/include"") > 0) …

The last line suffers a syntax error because /usr/include is now not part of a string.
Beyond simply breaking the build it may also be possible to inject arbitrary code using this mechanism which may be a security risk in rare cases.

commit 69428d095b897cfdede1a3ddbff257528b67ccb7
Author: ian boros <ian.boros@10gen.com>
Date:   Tue Aug 9 14:24:17 2016 -0400
    
    CDRIVER-1398 metadata platform field
---
 src/mongoc/mongoc-config.h.in | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 
diff --git a/src/mongoc/mongoc-config.h.in b/src/mongoc/mongoc-config.h.in
index 0575a43..b70dac9 100644
--- a/src/mongoc/mongoc-config.h.in
+++ b/src/mongoc/mongoc-config.h.in
@@ -18,6 +18,14 @@
 #ifndef MONGOC_CONFIG_H
 #define MONGOC_CONFIG_H
 
+/* MONGOC_USER_SET_CFLAGS is set from config based on what compiler flags were
+ * used to compile mongoc */
+#define MONGOC_USER_SET_CFLAGS "@MONGOC_USER_SET_CFLAGS@"
+
+#define MONGOC_USER_SET_LDFLAGS "@MONGOC_USER_SET_LDFLAGS@"
+
+/* MONGOC_CC is used to determine what C compiler was used to compile mongoc */
+#define MONGOC_CC "@MONGOC_CC@"



 Comments   
Comment by Githook User [ 13/Dec/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-1953 Escape double quotes in MONGOC_USER_SET_LDFLAGS/CC/CFLAGS
Branch: r1.5
https://github.com/mongodb/mongo-c-driver/commit/e09a07a744d0f5f762d25b06245263d43ac5e0ed

Comment by Githook User [ 13/Dec/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-1953 Escape double quotes in MONGOC_USER_SET_LDFLAGS/CC/CFLAGS
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/101c7d3e0a3d0c455c04c168dbd9b2eb08c17b08

Comment by Karolin Varner [ 12/Dec/16 ]

Yep, I agree. Hence the attribute "rare".
It wouldn't surprise me if this created sec problems for some people, but then their setup will be the bigger problem!
(Although I have seen some terrible things)

Comment by Hannes Magnusson [ 12/Dec/16 ]

I think classifying it as a security bug is a stretch.. You might as well just change the source code rather then setting environment variables when compiling the driver

I'm still bumping this to critical as this does indeed break the build in unfortunate ways.

We'll be rolling out 1.5.1 soon with a fix for this (and couple of other issues).

Thank you for the report!

Comment by Karolin Varner [ 12/Dec/16 ]

Note: It may be possible to mitigate this by using the # preprocessor macro to turn a macro into a string
You should test it before you use this fix!

#define MONGOC_USER_SET_CFLAGS_NOQUOTE @MONGOC_USER_SET_CFLAGS@
#define MONGOC_USER_SET_CFLAGS #MONGOC_USER_SET_CFLAGS_NOQUOTE

Generated at Wed Feb 07 21:13:43 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.