Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter st

gnash-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter st

From:	olafBuddenhagen
Subject:	Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting
Date:	Tue, 4 Jan 2011 19:54:17 +0100
User-agent:	Mutt/1.5.20 (2009-06-14)

Hi,

On Thu, Dec 30, 2010 at 02:17:58AM -0800, John Gilmore wrote:

> Does that patch actually prevent all attacks?  Seems like a string
> containing    \'  would get substituted wrongly by this.

It's fine -- backslash has no meaning in single-quoted strings.

> I haven't looked at the whole context, but what are we building here?
> If it's a string for the shell, we'd do better to make an argv list
> and then call exec, rather than building something that gets parsed by
> the shell, which has incredibly complicated rules for parsing and is
> easy to screw up the security of.

The rules for single-quoting are almost trivial.

(BTW, I wasn't even thinking about security considerations; I just
wanted to fix a bug... Though now that you mention it, I do see that
this was indeed a vulnerability -- a specially crafted website could
result in a launcher that would execute arbitrary shell code upon use.)

-antrik-

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting, olafBuddenhagen <=

Prev by Date: Re: [Gnash-dev] Re: Android support for Gnash
Next by Date: [Gnash-dev] Passing URLs to Browser
Previous by thread: [Gnash-dev] Android support for Gnash
Next by thread: [Gnash-dev] Passing URLs to Browser
Index(es):
- Date
- Thread