Fixed with commit 789a155418ef441f5d0a200272328aba2ef8b631 from Matttbe,
we still use the obnoxious system() but at least it's safe!
** Changed in: cairo-dock-core
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Cairo-
Dock Devs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/925632
Title:
cairo-dock uses system() with unfiltered strings, allowing to run any
command
Status in Cairo-Dock Core:
Fix Released
Bug description:
Cairo-dock-core uses system() in many places, inproperly, on not filtered/not
escaped strings.
For example cairo-dock-themes-manager.c has zillions of examples of such
misuse.
for example:
g_string_printf (sCommand, "rm -rf \"%s/%s\"", g_cThemesDirPath, cThemeName);
if cThemeName is "\"; whoami; \"", it would execute the 'whoami'
command.
Never assume paths contain only "nice" characters!
Never assume (almost) any string that is not set explicitively to contain
only "nice" characters!
This allows to run any command, even malicious, or, if you are lucky,
the shell can produces just a warning about wrong syntax (depending on
what's fed to system().
Consider using a function that does not invoke shell or copy/remove
files without using external commands (when appropriate - system() is
used for many tasks); or use g_shell_quote - it will probably do the
job, too.
I consider the "I can run any command without any control" a security
vulnerability and I am marking it as such. Let alone that unintended
files can be removed or whatever...
Thanks.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cairo-dock-core/+bug/925632/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~cairo-dock-team
Post to : cairo-dock-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~cairo-dock-team
More help : https://help.launchpad.net/ListHelp
