Re: [Help-smalltalk] Security Issue VFS

[Paolo Bonzini]

On 11/16/2011 03:31 PM, maarten wrote:
> Hello,
>
> Holger Fretyher and I concluded that there's a security issue in the
> VFSAddOns package.
>
> Code like this:
>
> PackageLoader fileInPackage: 'VFSAddOns'.
> ((File name: 'dontcare') zip) createDirectory: '; xterm'.
>
> Will not only try to open the zip, but also execute xterm, which
> shouldn't be possible.
> Now I'm wondering what would be the best way to fix this.
>
> Paolo Bonzini suggested that doing something like:
>
> st> 'abc'';xterm' asFile displayNl
> 'abc'\'';xterm'
>
> might fix something.
>
> I wonder if this would suffice or if there probably exists something
> like the execvp system call for gnu-smalltalk?

It is on my todo list (and has been for a while) to write a class for 
something like the posix_spawn API.  Ideally, that class would let you 
attach arbitrary files/URLs/pipes to file descriptors in the child, and 
then spawn the child.  Such an interface would also let you choose 
between a parsed and unparsed command line.

Another simpler possibility would be to add something like

    Smalltalk system: #('zip' 'abc' 'def')

... that would automatically escape each argument.  However this assumes 
that you do not need any redirection or piping, because in that case the 
'>' or '|' would be escaped too.

A third possibility hence is to have

    Smalltalk system: 'zip %1 %2 > %3'
         withArguments: {'abc'. 'def'. 'ghi'}

that would let the user choose what to escape and what not.

> Also VFSAddOns contained two bugs which made it impossible to use, I
> think I've fixed those now so I'll try to submit those later. Where
> should I do this?

Here is fine, or a pull request on github.