[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: KDE 3.1: delayed
From:       Christian Loose <Christian.Loose () hamburg ! de>
Date:       2002-12-06 9:05:07
[Download RAW message or body]

> On Friday 06 December 2002 01:07, Charles Samuels wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On Thursday 05 December 2002 3:44, Dirk Mueller wrote:
> > > On November 26th, we've been notified by FozZy from the "Hackademy
> > > Audit Project" about security problems in KDE.
> > 
> > I'd like to know, out of curiosity's sake, what this problem actually is.
> > Unless there's reason to believe that if you divulge it, people would take
> > advantage of it, that is.
> 
> The idea is that you must properly quote program arguments before passing them 
> to a shell if you want to rule out the possibility that they are being 
> interpreted as shell commands themselves.
> 
> Cheers,
> Waldo

Why don't we make a C++ interface for these problematic functions like popen() or \
system(), so you can't use them wrong? Otherwise, I think, it will always happen that \
somebody forgets to properly quote the arguments.

Bye
Christian


[prev in list] [next in list] [prev in thread] [next in thread]