Re: [Help-smalltalk] Security Issue VFS

help-smalltalk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-smalltalk] Security Issue VFS

From:	Paolo Bonzini
Subject:	Re: [Help-smalltalk] Security Issue VFS
Date:	Mon, 19 Dec 2011 18:24:40 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20110930 Thunderbird/7.0.1

On 12/19/2011 04:41 PM, maarten wrote:


and added it to String.st in the kernel folder.
Now withing every call of system in the VFS library I've added  (string)
escape. This way anyone could escape any string in any situation and it
also works for this particular problem.

Your code is a bit inefficient. Never use the comma message. Alwaysuse streams instead.


Also, a partial fix (not escaping everything) is as ineffective as no fix.

I attach a patch that does this more efficiently and adds#system:withArguments:. Can you fix VFS using this new method?


Paolo

esc.patch
Description: Text Data

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Help-smalltalk] Security Issue VFS, maarten, 2011/12/19
- Re: [Help-smalltalk] Security Issue VFS, Paolo Bonzini <=
  - Re: [Help-smalltalk] Security Issue VFS, Holger Hans Peter Freyther, 2011/12/19
    - Re: [Help-smalltalk] Security Issue VFS, Paolo Bonzini, 2011/12/19
  - Re: [Help-smalltalk] Security Issue VFS, Paolo Bonzini, 2011/12/27

Prev by Date: Re: [Help-smalltalk] Security Issue VFS
Next by Date: Re: [Help-smalltalk] Security Issue VFS
Previous by thread: Re: [Help-smalltalk] Security Issue VFS
Next by thread: Re: [Help-smalltalk] Security Issue VFS
Index(es):
- Date
- Thread