Re: Geany IDE not escaping filenames during compilation / build - a security issue or not?

[Colomban Wendling <lists.ban () herbesfolles org>]

Le 13/12/2012 12:51, Andreas Ericsson a écrit :
> On 12/13/2012 12:21 PM, Jan Lieskovsky wrote:
> [...]
>
> > The difference when running it directly from the command line is
> > that Bash would escape those files for you, so even with crafted names
> > nothing bad / suspicious would happen (and project would build
> > if syntactically correct).
>
> Except that people wouldn't manually compile thousands of files
> one by one. That's where build systems come in.

Yes, and for manual compilation to even have a chance to work one would
tweak a lot the build command to match the project's needs (inclusion
paths, link paths, etc.), so one has to be told to do so.

So I don't think it's more problematic than telling an user to run say,
"sudo cp -f that_file_I_sent_you /bin/sh".  Nobody can protect an user
from that, only the user can do it.

> > To the difference, in the Geany scenario, the file name(s) would
> > be passed to command line directly as they are (and if the project
> > would build or not at the end isn't what matters here).
>
> For the original report to be valid, the file would still have to
> be loaded into geany, or the report should have been about some
> other program. This is not a security issue that concerns geany.

All this said, I think the issue should still be addressed, because
although it doesn't looks so security-related to me, it's not good to
choke on quotes or whatever.  But that's not oss-security's problem :)

Regards,
Colomban