oss-sec mailing list archives
Re: Geany IDE not escaping filenames during compilation / build - a security issue or not?
From: Peter Bex <Peter.Bex () xs4all nl>
Date: Thu, 13 Dec 2012 16:51:15 +0100
On Thu, Dec 13, 2012 at 08:42:51AM -0700, Kurt Seifried wrote:
On 12/13/2012 04:12 AM, Simon McVittie wrote:If shell syntax is not specifically needed, it would be even better to use a mechanism not involving parsing shell syntax, like posix_spawn(), GLib's g_spawn_async() or Python's os.spawn* family, to launch the compiler (analogous to using prepared statements to avoid ever having to think about SQL escaping or SQL injection).If anyone knows similar functions/etc for other programming languages please let me know off list so I can compile a list of these and then post them for future reference. Thanks!
Chicken Scheme (www.call-cc.org) has multi-argument versions of the process family of procedures which map to the exec() family. http://wiki.call-cc.org/manual/Unit%20posix#processes These are a bit tricky, since the one-argument versions fall back to system()-like functionality. I consider this dangerous. There's also the scsh-process egg, which is much more fool-proof: http://wiki.call-cc.org/egg/scsh-process It's modeled after SCSH, the Scheme Shell. A few other Scheme implementations (at least Guile and Scheme48 iirc) also have a version of this safe notation. Cheers, Peter Bex -- http://sjamaan.ath.cx -- "The process of preparing programs for a digital computer is especially attractive, not only because it can be economically and scientifically rewarding, but also because it can be an aesthetic experience much like composing poetry or music." -- Donald Knuth
Current thread:
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not?, (continued)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Eitan Adler (Dec 12)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Jan Lieskovsky (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Simon McVittie (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Colomban Wendling (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Eitan Adler (Dec 12)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Matthew Brush (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Andreas Ericsson (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Kurt Seifried (Dec 13)
- Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Peter Bex (Dec 13)