1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
From: Carl Suster <carl@contraflo.ws>
Date: Tue, 5 Jan 2016 23:57:58 +0100
Subject: disable-javascript
Bug-Debian: http://bugs.debian.org/791467
Description: Disable javascript execution
Plowshare uses rhino CLI or similar to execute javascript downloaded from the
Internet. Since this is not filtered or sandboxed at all, the javascript can
obtain arbitrary access to the system and so this patch disables it by
default.
.
Some modules depend on javascript in order to function normally and so
an option is provided to enable javascript by setting the environment
variable `PLOWSHARE_DEBIAN_JS=yes`.
---
docs/plowdown.1 | 3 +++
docs/plowup.1 | 3 +++
src/core.sh | 15 ++++++++++++++-
3 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/docs/plowdown.1 b/docs/plowdown.1
index 10ca81f..b97a0d7 100644
--- a/docs/plowdown.1
+++ b/docs/plowdown.1
@@ -451,6 +451,9 @@ Specifies an alternate curl command (\fB$PATH\fR search is considered). If not d
.I PLOWSHARE_JS
Specifies an alternate js command (\fB$PATH\fR search is considered). If not defined, \fBjs\fR is used.
.TP
+.I PLOWSHARE_DEBIAN_JS
+When set to \fByes\fR javascript is enabled, otherwise it is blocked per #791467. Note that arbitrary javascript downloaded from the Internet will be run without any sandboxing if this is enabled.
+.TP
.I XDG_CONFIG_HOME
The directory to store user configuration files. If not defined, \fB~/.config\fR is assumed.
diff --git a/docs/plowup.1 b/docs/plowup.1
index ccdd21a..83b4b4f 100644
--- a/docs/plowup.1
+++ b/docs/plowup.1
@@ -430,6 +430,9 @@ Specifies an alternate curl command (\fB$PATH\fR search is considered). If not d
.I PLOWSHARE_JS
Specifies an alternate js command (\fB$PATH\fR search is considered). If not defined, \fBjs\fR is used.
.TP
+.I PLOWSHARE_DEBIAN_JS
+When set to \fByes\fR javascript is enabled, otherwise it is blocked per #791467. Note that arbitrary javascript downloaded from the Internet will be run without any sandboxing if this is enabled.
+.TP
.I XDG_CONFIG_HOME
The directory to store user configuration files. If not defined, \fB~/.config\fR is assumed.
diff --git a/src/core.sh b/src/core.sh
index f62155c..8b2cf16 100644
--- a/src/core.sh
+++ b/src/core.sh
@@ -29,6 +29,7 @@ declare -r PLOWSHARE_CONFDIR="${XDG_CONFIG_HOME:-$HOME/.config}/plowshare"
# Dependencies
declare -r PLOWCORE_JS=${PLOWSHARE_JS:-js}
+declare -r PLOWCORE_DEBIAN_JS=${PLOWSHARE_DEBIAN_JS:-no}
declare -r PLOWCORE_CURL=${PLOWSHARE_CURL:-curl}
# Global error codes
@@ -1335,9 +1336,21 @@ post_login() {
fi
}
+# Debian NB: Javascript disabled by default due to #791467
+debian_javascript_enabled() {
+ if [ "$PLOWCORE_DEBIAN_JS" != 'yes' ]; then
+ return $ERR_SYSTEM
+ fi
+}
+
# Detect if a JavaScript interpreter is installed
# $? is zero on success
detect_javascript() {
+ if ! debian_javascript_enabled; then
+ log_notice "Plowshare's use of Javascript interpreter is disabled in Debian by default for security. (See: #791467)"
+ log_notice 'Javascript may be enabled by setting the environment variable PLOWSHARE_DEBIAN_JS=yes'
+ return $ERR_SYSTEM
+ fi
if ! type -P "$PLOWCORE_JS" >/dev/null 2>&1; then
log_notice 'Javascript interpreter not found. Please install one!'
return $ERR_SYSTEM
@@ -2771,7 +2784,7 @@ core_init() {
log_debug "using custom curl: $PLOWSHARE_CURL"
fi
- if [ -n "$PLOWSHARE_JS" ]; then
+ if debian_javascript_enabled && [ -n "$PLOWSHARE_JS" ]; then
if ! type -P "$PLOWSHARE_JS" >/dev/null 2>&1; then
log_error "$NAME: \$PLOWSHARE_JS is invalid, abort"
return $ERR_SYSTEM
|
