oss-sec mailing list archives
Re: Geany IDE not escaping filenames during compilation / build - a security issue or not?
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 13 Dec 2012 08:42:51 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/13/2012 04:12 AM, Simon McVittie wrote:
(Incidentally, Geany is written using Gtk and GLib, and GLib already has a function g_shell_quote() which escapes arbitrary filenames for /bin/sh.) If shell syntax is not specifically needed, it would be even better to use a mechanism not involving parsing shell syntax, like posix_spawn(), GLib's g_spawn_async() or Python's os.spawn* family, to launch the compiler (analogous to using prepared statements to avoid ever having to think about SQL escaping or SQL injection).
If anyone knows similar functions/etc for other programming languages please let me know off list so I can compile a list of these and then post them for future reference. Thanks! - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQyfd6AAoJEBYNRVNeJnmT3qgP/A8dd7gwBa324eR46Yms84/z fdl6Wa2aWRPaVLgFgEvqtnspIiokAhQvVqxt0o0F2+rEqAzFa6YBHAlL2WXwyZZZ vf/EfLT0X0B4vYRJthzQ7oWwAKrPYewuRycTFXl3qRxWVfOi9NC+rxoCXbjCoHrD ry4HSw4LHsdEdeoZY2Q+ntw1uBgP784osqcU2oQ/Nu1ilYc5KjZxVP0aJqRIHcqc T9fpxWh6tCgsiOivYr5s4DXUltjkqHJLlX7Db3/faFvhY4q6ZGVp2K36EXk/A+RT 6qkWxsnzc6Q0loDqgx7Vi20cyggx7zpFL5ocsatu87gYITNZn1yZM6lEpPtghQXN yNeDookupmqOd+N4vK3GIx9oCsfZZ7QkJ0BAUAb8LS/lkF9gktJ9SgzIipu4+MBf wG7ETxrRNfgWxAFPpvvYajcD6l5EwoYSj2b0xChlZjp97gfBAuLs4DN5kODVbvLS eFz+arInikSkcAs+G7hLOfTajM97aSM1Ln7bdhH3b7FHdaiFJW0YkIAhvFuAgwzO Q09yTBSzbOhndu183JpY9JtUMhZhC/n0vvY2I1aMnrTrgTsnkte7oqzt5WmZ0b3A 7RnT2rpjHFMT18pQFoZkP79YxbeKdfjVcv2YDZ02mSw6dEtH/QD2xGoaOuEdwm2a 1dTPDQSWbMhSlrXEZ/CX =ExlJ -----END PGP SIGNATURE-----
Current thread:
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not?, (continued)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Frank Lanitz (Dec 12)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Eitan Adler (Dec 12)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Jan Lieskovsky (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Simon McVittie (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Colomban Wendling (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Matthew Brush (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Kurt Seifried (Dec 13)