[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter st

From: olafBuddenhagen
Subject: Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting
Date: Tue, 4 Jan 2011 19:54:17 +0100
User-agent: Mutt/1.5.20 (2009-06-14)


On Thu, Dec 30, 2010 at 02:17:58AM -0800, John Gilmore wrote:

> Does that patch actually prevent all attacks?  Seems like a string
> containing    \'  would get substituted wrongly by this.

It's fine -- backslash has no meaning in single-quoted strings.

> I haven't looked at the whole context, but what are we building here?
> If it's a string for the shell, we'd do better to make an argv list
> and then call exec, rather than building something that gets parsed by
> the shell, which has incredibly complicated rules for parsing and is
> easy to screw up the security of.

The rules for single-quoting are almost trivial.

(BTW, I wasn't even thinking about security considerations; I just
wanted to fix a bug... Though now that you mention it, I do see that
this was indeed a vulnerability -- a specially crafted website could
result in a launcher that would execute arbitrary shell code upon use.)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]