Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter st

gnash-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter st

From:	John Gilmore
Subject:	Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting
Date:	Thu, 30 Dec 2010 02:17:58 -0800

Does that patch actually prevent all attacks?  Seems like a string
containing    \'  would get substituted wrongly by this.

I haven't looked at the whole context, but what are we building here?
If it's a string for the shell, we'd do better to make an argv list and
then call exec, rather than building something that gets parsed by the shell,
which has incredibly complicated rules for parsing and is easy to screw up
the security of.

        John

[Prev in Thread]

Current Thread

[Next in Thread]

[Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting, olafBuddenhagen, 2010/12/28
- Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting, strk, 2010/12/29
  - Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting, John Gilmore <=

Prev by Date: Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting
Previous by thread: Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting
Index(es):
- Date
- Thread