oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Geany IDE not escaping filenames during compilation / build - a security issue or not?

From: Peter Bex <Peter.Bex () xs4all nl>
Date: Thu, 13 Dec 2012 16:51:15 +0100
On Thu, Dec 13, 2012 at 08:42:51AM -0700, Kurt Seifried wrote:

On 12/13/2012 04:12 AM, Simon McVittie wrote:

If shell syntax is not specifically needed, it would be even better
to use a mechanism not involving parsing shell syntax, like
posix_spawn(), GLib's g_spawn_async() or Python's os.spawn* family,
to launch the compiler (analogous to using prepared statements to
avoid ever having to think about SQL escaping or SQL injection).


If anyone knows similar functions/etc for other programming languages
please let me know off list so I can compile a list of these and then
post them for future reference. Thanks!


Chicken Scheme (www.call-cc.org) has multi-argument versions of the
process family of procedures which map to the exec() family.
http://wiki.call-cc.org/manual/Unit%20posix#processes
These are a bit tricky, since the one-argument versions fall back to
system()-like functionality.  I consider this dangerous.

There's also the scsh-process egg, which is much more fool-proof:
http://wiki.call-cc.org/egg/scsh-process
It's modeled after SCSH, the Scheme Shell.  A few other Scheme
implementations (at least Guile and Scheme48 iirc) also have a version
of this safe notation.

Cheers,
Peter Bex
-- 
http://sjamaan.ath.cx
--
"The process of preparing programs for a digital computer
 is especially attractive, not only because it can be economically
 and scientifically rewarding, but also because it can be an aesthetic
 experience much like composing poetry or music."
                                                        -- Donald Knuth
Previous By Date Next
Previous By Thread Next

Current thread: