Increasing TWiki's Robustness Against Shell Command Injection

TWiki uses Perl's backtick operator in several places. The argument string of the backtick operator contains data from untrusted sources, causing potential security problems if shell metacharacters are involved. A patch to resolve these potential issues is provided.

In the past, several vulnerabilities involving shell command injection had to be fixed in TWiki (Metacharacters can be passed through to the shell in File Attach <>, TWiki Security Alert, 2003-10-19; TWiki search function allows arbitrary shell command execution <>, TWiki Security Alert, 2004-11-13).

In order to correct the remaining potential issues and prevent further coding errors, the following patch introduces a replacement of Perl's backtick operator. This replacement constructs command line argument vectors in a safe way (by invoking the new subroutine TWiki::buildCommandLine). Execution of arbitrary shell commands directly through shell metacharacters is no longer possible if TWiki::readFromProcess or TWiki::readFromProcessArray are used. (Indirect command injection is still possible if vulnerable programs and scripts are invoked through this interface, though.)

The current patch is relative to TWiki's Subversion trunk (, revision 3248. The Changelog file contains summaries of the changes. Please also read the README.robustness file included in the patch, and keep in mind that you must edit your TWiki.cfg file.

Note: This patch is known not to work with native Windows versions of TWiki.

For Developers: Increasing Robustness of Your Code

With the following changes, your code can also benefit from the backtick replacement:

TWiki Plugins

Some TWiki plugins have been checked against the list above. The results are given below.


Security-related changes in these patches will be announced on the security-announce mailing list.


Florian Weimer
Home Blog (DE) Blog (EN) Impressum RSS Feeds