Date: Thu, 13 Dec 2012 16:51:15 +0100 From: Peter Bex <Peter.Bex@...all.nl> To: oss-security@...ts.openwall.com Subject: Re: Geany IDE not escaping filenames during compilation / build - a security issue or not? On Thu, Dec 13, 2012 at 08:42:51AM -0700, Kurt Seifried wrote: > On 12/13/2012 04:12 AM, Simon McVittie wrote: > > If shell syntax is not specifically needed, it would be even better > > to use a mechanism not involving parsing shell syntax, like > > posix_spawn(), GLib's g_spawn_async() or Python's os.spawn* family, > > to launch the compiler (analogous to using prepared statements to > > avoid ever having to think about SQL escaping or SQL injection). > > If anyone knows similar functions/etc for other programming languages > please let me know off list so I can compile a list of these and then > post them for future reference. Thanks! Chicken Scheme (www.call-cc.org) has multi-argument versions of the process family of procedures which map to the exec() family. http://wiki.call-cc.org/manual/Unit%20posix#processes These are a bit tricky, since the one-argument versions fall back to system()-like functionality. I consider this dangerous. There's also the scsh-process egg, which is much more fool-proof: http://wiki.call-cc.org/egg/scsh-process It's modeled after SCSH, the Scheme Shell. A few other Scheme implementations (at least Guile and Scheme48 iirc) also have a version of this safe notation. Cheers, Peter Bex -- http://sjamaan.ath.cx -- "The process of preparing programs for a digital computer is especially attractive, not only because it can be economically and scientifically rewarding, but also because it can be an aesthetic experience much like composing poetry or music." -- Donald Knuth
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.