[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: Re: KDE 3.1: delayed
From: Christian Loose <Christian.Loose () hamburg ! de>
Date: 2002-12-06 9:05:07
[Download RAW message or body]
> On Friday 06 December 2002 01:07, Charles Samuels wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Thursday 05 December 2002 3:44, Dirk Mueller wrote:
> > > On November 26th, we've been notified by FozZy from the "Hackademy
> > > Audit Project" about security problems in KDE.
> >
> > I'd like to know, out of curiosity's sake, what this problem actually is.
> > Unless there's reason to believe that if you divulge it, people would take
> > advantage of it, that is.
>
> The idea is that you must properly quote program arguments before passing them
> to a shell if you want to rule out the possibility that they are being
> interpreted as shell commands themselves.
>
> Cheers,
> Waldo
Why don't we make a C++ interface for these problematic functions like popen() or \
system(), so you can't use them wrong? Otherwise, I think, it will always happen that \
somebody forgets to properly quote the arguments.
Bye
Christian
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic