[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-smalltalk] Security Issue VFS

From: maarten
Subject: [Help-smalltalk] Security Issue VFS
Date: Wed, 16 Nov 2011 15:31:40 +0100
User-agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1


Holger Fretyher and I concluded that there's a security issue in the VFSAddOns package.

Code like this:

PackageLoader fileInPackage: 'VFSAddOns'.
((File name: 'dontcare') zip) createDirectory: '; xterm'.

Will not only try to open the zip, but also execute xterm, which shouldn't be possible.
Now I'm wondering what would be the best way to fix this.

Paolo Bonzini suggested that doing something like:

st> 'abc'';xterm' asFile displayNl

might fix something.

I wonder if this would suffice or if there probably exists something like the execvp system call for gnu-smalltalk?

Also VFSAddOns contained two bugs which made it impossible to use, I think I've fixed those now so I'll try to submit those later. Where should I do this?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]