digitalmars.D.bugs - [Issue 22950] New: install.sh uses unsafe HTTP to download LATEST
- d-bugmail puremagic.com (37/37) Mar 28 2022 https://issues.dlang.org/show_bug.cgi?id=22950
https://issues.dlang.org/show_bug.cgi?id=22950 Issue ID: 22950 Summary: install.sh uses unsafe HTTP to download LATEST Product: D Version: D2 Hardware: All OS: All Status: NEW Severity: major Priority: P1 Component: tools Assignee: nobody puremagic.com Reporter: vuoto17+dlang hotmail.it The script at `https://dlang.org/install.sh` uses unsafe HTTP to download `http://downloads.dlang.org/releases/LATEST` (and related mirrors/files). This means that a MITM on user traffic would lead to arbitrary attacker-controlled input reaching the script. Some implications I manually verified (mind you, I'm not the most skilled bash/curl person so assume this to be the smallest scope): 1. Downgrade D on a target machine. 2. Print arbitrary text on the target terminal. This includes ANSI escape sequences, which can do things like clearing the screen, setting windows' title, and potentially write files or execute programs (in certain terminal emulators/configurations). 3. Mess with the curl URL. For example, `echo -n '{asd,lol}-2016-10-20' > LATEST` results in curl running two GET requests. I couldn't do much with it because it's in the middle of the URL, but again, there might be other attack angles I didn't think of. Seems like `downloads.dlang.org` is only served over HTTP. I would suggest you serve `LATEST` from an HTTPS-only website. Using a `.sig` file on it would also work, but still leave open the possibility of attacker-mandated downgrades (if I'm not mistaken). Thanks, Paolo (P.S.: Is `security dlang.org` still in existence? I found it linked on dlang.org, but I couldn't deliver my email) --
Mar 28 2022