Hi, On Thu, Dec 30, 2010 at 02:17:58AM -0800, John Gilmore wrote:
> Does that patch actually prevent all attacks? Seems like a string > containing \' would get substituted wrongly by this. It's fine -- backslash has no meaning in single-quoted strings. > I haven't looked at the whole context, but what are we building here? > If it's a string for the shell, we'd do better to make an argv list > and then call exec, rather than building something that gets parsed by > the shell, which has incredibly complicated rules for parsing and is > easy to screw up the security of. The rules for single-quoting are almost trivial. (BTW, I wasn't even thinking about security considerations; I just wanted to fix a bug... Though now that you mention it, I do see that this was indeed a vulnerability -- a specially crafted website could result in a launcher that would execute arbitrary shell code upon use.) -antrik- _______________________________________________ Gnash-dev mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnash-dev
