Re: deb vfs security issue (CAN-2004-0494)
- From: Jakub Jelinek <jakub redhat com>
- To: Leonard den Ottolander <leonard den ottolander nl>
- Cc: MC Devel <mc-devel gnome org>
- Subject: Re: deb vfs security issue (CAN-2004-0494)
- Date: Thu, 19 Aug 2004 10:30:57 +0200
On Wed, Aug 18, 2004 at 09:33:28PM +0200, Leonard den Ottolander wrote:
> On Wed, 2004-08-18 at 18:40, Jakub Jelinek wrote:
> > Also, isn't mcdebfs_copyout's destfile not used just in system ()
> > (where it should be escaped), but also in
> > if ( open(FILEOUT,">$destfile") )
> > (where I'd say it should not be escaped)?
> 
> Why not there?
I don't even pretend I know perl, but given:
foo1:
#!/usr/bin/perl
local($destfile)=$ARGV[0];
if ( open(FILEOUT,">$destfile") )
{
print FILEOUT "bar";
close FILEOUT;
}
system("echo foo >> $destfile");
foo2:
!/usr/bin/perl
local($destfile)=map(s/([^\w\/.+-])/\\$1/g, $ARGV[0]);
if ( open(FILEOUT,">$destfile") )
{
print FILEOUT "bar";
close FILEOUT;
}
system("echo foo >> $destfile");
foo3:
#!/usr/bin/perl
local($destfile)=quotemeta($ARGV[0]);
if ( open(FILEOUT,">$destfile") )
{
print FILEOUT "bar";
close FILEOUT;
}
system("echo foo >> $destfile");
I get two files created by the first and third when running
./fooN 'x`date`y'
For foo1:
xThu Aug 19 12:44:37 CEST 2004y (containing foo)
x`date`y (containing bar)
For foo2:
2 (containing barfoo)
For foo3:
x`date`y (containing foo)
x\`date\`y (containing bar)
	Jakub
[
Date Prev][
Date Next]   [
Thread Prev][
Thread Next]   
[
Thread Index]
[
Date Index]
[
Author Index]