oss-sec mailing list archives
Re: Geany IDE not escaping filenames during compilation / build - a security issue or not?
From: Simon McVittie <smcv () debian org>
Date: Thu, 13 Dec 2012 11:27:35 +0000
On 13/12/12 11:21, Jan Lieskovsky wrote:
Is the user prior building expected to investigate file name of each of them for sanity? This is where trust boundary is crossed - someone could send you a tarball: "Here is the source you were searching for." You would go to build it in Geany..
If Geany is willing to run 'make', as it appears to be, then you already
have to trust the sender of a source tree - a Makefile can contain
arbitrary shell commands, by design.
S
Current thread:
- Geany IDE not escaping filenames during compilation / build - a security issue or not? Jan Lieskovsky (Dec 12)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Frank Lanitz (Dec 12)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Eitan Adler (Dec 12)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Jan Lieskovsky (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Simon McVittie (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Colomban Wendling (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Matthew Brush (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)