[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#59817: [PATCH] Fix etags local command injection vulnerability
From: |
Eli Zaretskii |
Subject: |
bug#59817: [PATCH] Fix etags local command injection vulnerability |
Date: |
Sun, 04 Dec 2022 19:04:15 +0200 |
> From: Stefan Kangas <stefankangas@gmail.com>
> Date: Sun, 4 Dec 2022 08:27:14 -0800
> Cc: 59817@debbugs.gnu.org
>
> Eli Zaretskii <eliz@gnu.org> writes:
>
> > Thanks, but no, thanks. This cure is worse than the disease. Let's please
> > find simpler, more robust solutions. It TMPDIR is a problem, let's use a
> > file whose name is hard-coded in the etags.c source, or quote the name when
> > we pass it to the shell. If we suspect someone could disguise shell
> > commands as file names, let's quote the file names we pass to the shell with
> > '...' to prevent that. Etc. etc. -- let's use simple solutions that don't
> > drastically change the code.
>
> With single quotes, every single quote character also needs to be quoted
> so you can't just use a file named "';rm -rf $HOME;'".
Yes. But still, doing so is hardly rocket science, and it leaves the
general design of etags.c intact.
> The safest option is to just not call system, of course.
I'd rather not go there unless it was really necessary.
- bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/04
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/04
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Stefan Kangas, 2022/12/04
- bug#59817: [PATCH] Fix etags local command injection vulnerability,
Eli Zaretskii <=
- Message not available
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/05
- bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Francesco Potortì, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Francesco Potortì, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Andreas Schwab, 2022/12/06