[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter st
From: |
olafBuddenhagen |
Subject: |
Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting |
Date: |
Tue, 4 Jan 2011 19:54:17 +0100 |
User-agent: |
Mutt/1.5.20 (2009-06-14) |
Hi,
On Thu, Dec 30, 2010 at 02:17:58AM -0800, John Gilmore wrote:
> Does that patch actually prevent all attacks? Seems like a string
> containing \' would get substituted wrongly by this.
It's fine -- backslash has no meaning in single-quoted strings.
> I haven't looked at the whole context, but what are we building here?
> If it's a string for the shell, we'd do better to make an argv list
> and then call exec, rather than building something that gets parsed by
> the shell, which has incredibly complicated rules for parsing and is
> easy to screw up the security of.
The rules for single-quoting are almost trivial.
(BTW, I wasn't even thinking about security considerations; I just
wanted to fix a bug... Though now that you mention it, I do see that
this was indeed a vulnerability -- a specially crafted website could
result in a launcher that would execute arbitrary shell code upon use.)
-antrik-
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting,
olafBuddenhagen <=