[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability
From: |
Stefan Kangas |
Subject: |
bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability |
Date: |
Thu, 24 Nov 2022 10:12:31 -0800 |
Eli Zaretskii <eliz@gnu.org> writes:
> Thanks, but the solution you propose for this is too drastic: it in effect
> rejects legitimate file names just because they have characters which look
> "suspicious". I think we need a more accurate test, which will not produce
> false positives so easily. Or maybe we need to ask the user for
> confirmation instead of skipping the files with suspicious names.
I think we could escape the file name using single quotes, but AFAIU we
then need to escape single quote characters too, so that:
'
becomes
'\''
See here for why:
https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Single-Quotes
But would it not be better to rewrite etags.c to not use system(1) at
all?
- bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability, lux, 2022/11/24
- bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability, Eli Zaretskii, 2022/11/24
- bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability,
Stefan Kangas <=
- bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability, Eli Zaretskii, 2022/11/24
- bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability, lux, 2022/11/24
- bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability, lux, 2022/11/25
- bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability, Stefan Kangas, 2022/11/25
- bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability, lux, 2022/11/25
- bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability, Stefan Kangas, 2022/11/25
- bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability, Eli Zaretskii, 2022/11/25
- bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability, Eli Zaretskii, 2022/11/25
- bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability, lux, 2022/11/25
- bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability, Stefan Kangas, 2022/11/25