[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter st

From: strk
Subject: Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting
Date: Mon, 3 Jan 2011 19:56:49 +0100

On Thu, Dec 30, 2010 at 02:17:58AM -0800, John Gilmore wrote:
> Does that patch actually prevent all attacks?  Seems like a string
> containing    \'  would get substituted wrongly by this.


> I haven't looked at the whole context, but what are we building here?
> If it's a string for the shell, we'd do better to make an argv list and
> then call exec, rather than building something that gets parsed by the shell,
> which has incredibly complicated rules for parsing and is easy to screw up
> the security of.

Yeah, fork & exec would be stronger.
Most of the times we request the load trough the 'host fd' though
(the plugin provides one) so this code is really only hit by runs
of the standalone w/out a -F switch.

A patch for fork & exec is welcome.


  ()   Free GIS & Flash consultant/developer

reply via email to

[Prev in Thread] Current Thread [Next in Thread]