[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter st
From: |
John Gilmore |
Subject: |
Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting |
Date: |
Thu, 30 Dec 2010 02:17:58 -0800 |
Does that patch actually prevent all attacks? Seems like a string
containing \' would get substituted wrongly by this.
I haven't looked at the whole context, but what are we building here?
If it's a string for the shell, we'd do better to make an argv list and
then call exec, rather than building something that gets parsed by the shell,
which has incredibly complicated rules for parsing and is easy to screw up
the security of.
John