oss-sec mailing list archives

Re: Geany IDE not escaping filenames during compilation / build - a security issue or not?

From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 13 Dec 2012 08:42:51 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/13/2012 04:12 AM, Simon McVittie wrote:

(Incidentally, Geany is written using Gtk and GLib, and GLib
already has a function g_shell_quote() which escapes arbitrary
filenames for /bin/sh.)

If shell syntax is not specifically needed, it would be even better
to use a mechanism not involving parsing shell syntax, like
posix_spawn(), GLib's g_spawn_async() or Python's os.spawn* family,
to launch the compiler (analogous to using prepared statements to
avoid ever having to think about SQL escaping or SQL injection).


If anyone knows similar functions/etc for other programming languages
please let me know off list so I can compile a list of these and then
post them for future reference. Thanks!

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQyfd6AAoJEBYNRVNeJnmT3qgP/A8dd7gwBa324eR46Yms84/z
fdl6Wa2aWRPaVLgFgEvqtnspIiokAhQvVqxt0o0F2+rEqAzFa6YBHAlL2WXwyZZZ
vf/EfLT0X0B4vYRJthzQ7oWwAKrPYewuRycTFXl3qRxWVfOi9NC+rxoCXbjCoHrD
ry4HSw4LHsdEdeoZY2Q+ntw1uBgP784osqcU2oQ/Nu1ilYc5KjZxVP0aJqRIHcqc
T9fpxWh6tCgsiOivYr5s4DXUltjkqHJLlX7Db3/faFvhY4q6ZGVp2K36EXk/A+RT
6qkWxsnzc6Q0loDqgx7Vi20cyggx7zpFL5ocsatu87gYITNZn1yZM6lEpPtghQXN
yNeDookupmqOd+N4vK3GIx9oCsfZZ7QkJ0BAUAb8LS/lkF9gktJ9SgzIipu4+MBf
wG7ETxrRNfgWxAFPpvvYajcD6l5EwoYSj2b0xChlZjp97gfBAuLs4DN5kODVbvLS
eFz+arInikSkcAs+G7hLOfTajM97aSM1Ln7bdhH3b7FHdaiFJW0YkIAhvFuAgwzO
Q09yTBSzbOhndu183JpY9JtUMhZhC/n0vvY2I1aMnrTrgTsnkte7oqzt5WmZ0b3A
7RnT2rpjHFMT18pQFoZkP79YxbeKdfjVcv2YDZ02mSw6dEtH/QD2xGoaOuEdwm2a
1dTPDQSWbMhSlrXEZ/CX
=ExlJ
-----END PGP SIGNATURE-----

Current thread:

Re: Geany IDE not escaping filenames during compilation / build - a security issue or not?, (continued)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Frank Lanitz (Dec 12)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Eitan Adler (Dec 12)
  - Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
    - Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Jan Lieskovsky (Dec 13)
    - Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Simon McVittie (Dec 13)
    - Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
    - Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Colomban Wendling (Dec 13)
  - Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Matthew Brush (Dec 13)
    - Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Simon McVittie (Dec 13)
  - Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Kurt Seifried (Dec 13)
    - Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Peter Bex (Dec 13)