Re: system() & user input


> There are some user unchecked and unquoted input there
> (subject, to and copy in the pipe_mail(), sort option in the 
> edit_sort_cmd() and filename itself in the edit_block_process()).
> I don't like to see bug report about something like 'I formatted file 
> `echo rm -rf /*`.c and I loss my system after it' or so on.  It seems we 
> need to quote such user input or use fork()+execvpe() for such cases.

You are right, we should not use system() unless the user expects the 
shell to interpret the commands, which is not the case in either of those 

I don't think those bugs can be actually exploited, but writing quoted
"some_command; rm -rf /" in the subject of e-mail can be a problem, and it
can really happen.

I actually don't understrand the reason why mc_doublepopen() uses two
forks.  The comment doesn't say anything about it.  I'd like to see more
unified approach to running external programs.

Pavel Roskin

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]