Home page logo

oss-sec logo oss-sec mailing list archives

Re: Geany IDE not escaping filenames during compilation / build - a security issue or not?
From: Peter Bex <Peter.Bex () xs4all nl>
Date: Thu, 13 Dec 2012 16:51:15 +0100

On Thu, Dec 13, 2012 at 08:42:51AM -0700, Kurt Seifried wrote:
On 12/13/2012 04:12 AM, Simon McVittie wrote:
If shell syntax is not specifically needed, it would be even better
to use a mechanism not involving parsing shell syntax, like
posix_spawn(), GLib's g_spawn_async() or Python's os.spawn* family,
to launch the compiler (analogous to using prepared statements to
avoid ever having to think about SQL escaping or SQL injection).

If anyone knows similar functions/etc for other programming languages
please let me know off list so I can compile a list of these and then
post them for future reference. Thanks!

Chicken Scheme (www.call-cc.org) has multi-argument versions of the
process family of procedures which map to the exec() family.
These are a bit tricky, since the one-argument versions fall back to
system()-like functionality.  I consider this dangerous.

There's also the scsh-process egg, which is much more fool-proof:
It's modeled after SCSH, the Scheme Shell.  A few other Scheme
implementations (at least Guile and Scheme48 iirc) also have a version
of this safe notation.

Peter Bex
"The process of preparing programs for a digital computer
 is especially attractive, not only because it can be economically
 and scientifically rewarding, but also because it can be an aesthetic
 experience much like composing poetry or music."
                                                        -- Donald Knuth

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]