Re: A CGI security hole on Windows?

bug-global

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A CGI security hole on Windows?

From:	Shigio YAMAGUCHI
Subject:	Re: A CGI security hole on Windows?
Date:	Sat, 12 Mar 2016 21:27:54 +0900

I understood. Thank you.

I'm sorry but would you please uncomment it when you make

a Windows package? This code is not used on UNIX.

Presence or absence of a security hole seems to be dependent

on the specification (syntax) of Windows shell. Since I'm

not conversant about it, I'd overlook a security hole in

the future. I prefer not to entrust GLOBAL's fate to Microsoft.

Regards,

Shigio

2016-03-12 16:04 GMT+09:00 Jason Hood <address@hidden>:

> Doesn't the following code have a security hole on Windows?

"-|" is not supported on Windows and I believe exec will go
through the shell anyway (Windows always has a single command
line string, never individual arguments). (This change was
originally submitted 2014-01-22.)

--
Jason.

Shigio YAMAGUCHI <address@hidden>

PGP fingerprint: D1CB 0B89 B346 4AB6 5663 C4B6 3CA5 BBB3 57BE DDA3

[Prev in Thread]

Current Thread

[Next in Thread]

A CGI security hole on Windows?, Shigio YAMAGUCHI, 2016/03/09
- Re: A CGI security hole on Windows?, Shigio YAMAGUCHI, 2016/03/11
- Re: A CGI security hole on Windows?, Jason Hood, 2016/03/12
  - Re: A CGI security hole on Windows?, Shigio YAMAGUCHI <=

Prev by Date: Re: A CGI security hole on Windows?
Next by Date: Struct variable named as struct is not indexed correctly.
Previous by thread: Re: A CGI security hole on Windows?
Next by thread: Struct variable named as struct is not indexed correctly.
Index(es):
- Date
- Thread