[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter st
Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting
Tue, 4 Jan 2011 19:54:17 +0100
On Thu, Dec 30, 2010 at 02:17:58AM -0800, John Gilmore wrote:
> Does that patch actually prevent all attacks? Seems like a string
> containing \' would get substituted wrongly by this.
It's fine -- backslash has no meaning in single-quoted strings.
> I haven't looked at the whole context, but what are we building here?
> If it's a string for the shell, we'd do better to make an argv list
> and then call exec, rather than building something that gets parsed by
> the shell, which has incredibly complicated rules for parsing and is
> easy to screw up the security of.
The rules for single-quoting are almost trivial.
(BTW, I wasn't even thinking about security considerations; I just
wanted to fix a bug... Though now that you mention it, I do see that
this was indeed a vulnerability -- a specially crafted website could
result in a launcher that would execute arbitrary shell code upon use.)
|[Prev in Thread]
||[Next in Thread]|
- Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting,