[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter st
Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting
Mon, 3 Jan 2011 19:56:49 +0100
On Thu, Dec 30, 2010 at 02:17:58AM -0800, John Gilmore wrote:
> Does that patch actually prevent all attacks? Seems like a string
> containing \' would get substituted wrongly by this.
> I haven't looked at the whole context, but what are we building here?
> If it's a string for the shell, we'd do better to make an argv list and
> then call exec, rather than building something that gets parsed by the shell,
> which has incredibly complicated rules for parsing and is easy to screw up
> the security of.
Yeah, fork & exec would be stronger.
Most of the times we request the load trough the 'host fd' though
(the plugin provides one) so this code is really only hit by runs
of the standalone w/out a -F switch.
A patch for fork & exec is welcome.
() Free GIS & Flash consultant/developer
|[Prev in Thread]
||[Next in Thread]|
- Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting,