[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-gv] [bugs #11561] Bug when printing files with spaces in their file
From: |
anonymous |
Subject: |
[bug-gv] [bugs #11561] Bug when printing files with spaces in their filenames |
Date: |
Wed, 2 Mar 2005 21:01:14 +0000 |
User-agent: |
Mozilla/5.0 (X11; U; NetBSD i386; en-US; rv:1.7.5) Gecko/20050228 Firefox/1.0 |
Follow-up Comment #1, bugs #11561 (project gv):
Note: Why is the system() call still used? It's a security leak in almost
all cases. Using a function of the exec() family is a much better idea,
since you are guaranteed that no `free-form' strings are passed to the
shell.
Example:
$ cp blah.gz foo\;ls\;
$ gv foo\;ls\;
<click `print', select lpr and ok>
lpr: cannot access foo
<current working directory's contents>
Of course, this is an accedent waiting to happen; suppose someone opens a
file from the web by use of a browser plugin that downloads the file and
starts gv. That person is vulnerable to an attack without knowing it.
_______________________________________________________
This item URL is:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=11561>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [bug-gv] [bugs #11561] Bug when printing files with spaces in their filenames,
anonymous <=