On Sun, 4 May 2014 17:06:51 +0200
Markus Wichmann <nullplan_AT_gmx.net> wrote:
> Did you even read the code? Of course it does: Every existing single
> quote within the string argument is replaced by a single quote, followed
> by a backslash, followed by two single quotes. No way for that to turn
> out to be wrong as far as I can see!
That's right Markus, I took care of that.
What Chris is concerned about is making a mistake in the config.h,
calling a program like watch(1), which accepts arguments like this:
watch 'ls -l /tmp | grep tmp'
Now, Chris' concern is, if you put watch like this in your config.h,
which means:
"watch 'ls -l /tmp | grep %s'"
It might be possible to exploit this by calling xdg-open with a command
like this:
;rm -rf /;
which is transformed internally to
';rm -rf /;' --> "watch 'ls -l /tmp | grep ;rm -rf /;'"
Imho, this is a valid concern as far as the consciousness of the user
goes. However, it actually is irrelevant if you know the shell-quirks.
This is a problem which even has to be adressed in any shell-script
accepting arguments.
As a second layer of security, you might want to be very strict with
the regexes.
I'll look into other things which may exclude this possiblity, but as
long as you know what you're doing, soap is perfectly safe to use.
Cheers
FRIGN
--
FRIGN <dev_AT_frign.de>
Received on Sun May 04 2014 - 17:25:06 CEST