mailing list archives
Re: Geany IDE not escaping filenames during compilation / build - a security issue or not?
From: Peter Bex <Peter.Bex () xs4all nl>
Date: Thu, 13 Dec 2012 16:51:15 +0100
On Thu, Dec 13, 2012 at 08:42:51AM -0700, Kurt Seifried wrote:
On 12/13/2012 04:12 AM, Simon McVittie wrote:
If shell syntax is not specifically needed, it would be even better
to use a mechanism not involving parsing shell syntax, like
posix_spawn(), GLib's g_spawn_async() or Python's os.spawn* family,
to launch the compiler (analogous to using prepared statements to
avoid ever having to think about SQL escaping or SQL injection).
If anyone knows similar functions/etc for other programming languages
please let me know off list so I can compile a list of these and then
post them for future reference. Thanks!
Chicken Scheme (www.call-cc.org) has multi-argument versions of the
process family of procedures which map to the exec() family.
These are a bit tricky, since the one-argument versions fall back to
system()-like functionality. I consider this dangerous.
There's also the scsh-process egg, which is much more fool-proof:
It's modeled after SCSH, the Scheme Shell. A few other Scheme
implementations (at least Guile and Scheme48 iirc) also have a version
of this safe notation.
"The process of preparing programs for a digital computer
is especially attractive, not only because it can be economically
and scientifically rewarding, but also because it can be an aesthetic
experience much like composing poetry or music."
-- Donald Knuth
Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? Simon McVittie (Dec 13)