Re: [jokosher-devel] Jokosher Security Vulnerability

From: John Green <john thegreens co uk>
To: jokosher-devel-list gnome org
Subject: Re: [jokosher-devel] Jokosher Security Vulnerability
Date: Wed, 27 Sep 2006 11:43:17 +0100

On Wednesday 27 September 2006 08:57, Stuart Langridge wrote:
>
> Don't allow semicolons; there's not *all* that much you can do with
> one command. However, do you need that "import os" there? It may
> already be in the environment from the file that executes it. This
> isn't a solution, though, just a workaround.
>
Actually it's only the bit after the semi-colon that's the injected code. The 
bit before has to just not fail with "object." in front of it. So bailing out 
if a semi-colon is present should be enough I think. But like all these 
things the danger is in what you haven't thought of yet.
-- 
John Green

john thegreens co uk

Follow-Ups:
- Re: [jokosher-devel] Jokosher Security Vulnerability
  - From: Nick Murtagh

References:
- [jokosher-devel] Jokosher Security Vulnerability
  - From: Laszlo Pandy
- Re: [jokosher-devel] Jokosher Security Vulnerability
  - From: Stuart Langridge

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]