Does that patch actually prevent all attacks? Seems like a string
containing \' would get substituted wrongly by this.
I haven't looked at the whole context, but what are we building here?
If it's a string for the shell, we'd do better to make an argv list and
then call exec, rather than building something that gets parsed by the shell,
which has incredibly complicated rules for parsing and is easy to screw up
the security of.
John
_______________________________________________
Gnash-dev mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/gnash-dev
