[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-smalltalk] Security Issue VFS

From: maarten
Subject: Re: [Help-smalltalk] Security Issue VFS
Date: Mon, 19 Dec 2011 16:41:24 +0100
User-agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1

On 11/16/2011 03:45 PM, Paolo Bonzini wrote:
On 11/16/2011 03:31 PM, maarten wrote:


Holger Fretyher and I concluded that there's a security issue in the
VFSAddOns package.

Code like this:

PackageLoader fileInPackage: 'VFSAddOns'.
((File name: 'dontcare') zip) createDirectory: '; xterm'.

Will not only try to open the zip, but also execute xterm, which
shouldn't be possible.
Now I'm wondering what would be the best way to fix this.

Paolo Bonzini suggested that doing something like:

st> 'abc'';xterm' asFile displayNl

might fix something.

I wonder if this would suffice or if there probably exists something
like the execvp system call for gnu-smalltalk?

It is on my todo list (and has been for a while) to write a class for
something like the posix_spawn API. Ideally, that class would let you
attach arbitrary files/URLs/pipes to file descriptors in the child, and
then spawn the child. Such an interface would also let you choose
between a parsed and unparsed command line.

Another simpler possibility would be to add something like

Smalltalk system: #('zip' 'abc' 'def')

... that would automatically escape each argument. However this assumes
that you do not need any redirection or piping, because in that case the
'>' or '|' would be escaped too.

A third possibility hence is to have

Smalltalk system: 'zip %1 %2 > %3'
withArguments: {'abc'. 'def'. 'ghi'}

that would let the user choose what to escape and what not.

Also VFSAddOns contained two bugs which made it impossible to use, I
think I've fixed those now so I'll try to submit those later. Where
should I do this?

Here is fine, or a pull request on github.

help-smalltalk mailing list

Ok I'm considering this approach now,
I've written this function (just escapes operators):

escape [
       | index newstr operators |
       index := 1.
       newstr := ''.
       operators := #($~ $% $^ $\ $| $& $> $< $= $! $;).

       [ index <= (self size asInteger) ] whileTrue: [
           (operators includes: (self at: index)) ifTrue: [
               newstr := newstr, '\'.
           newstr := newstr, ((self at: index) asString).
           index := index + 1.

and added it to in the kernel folder.
Now withing every call of system in the VFS library I've added (string) escape. This way anyone could escape any string in any situation and it also works for this particular problem.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]