Bug#172436: Security concerns regarding browser proposal

2003-08-17 Thread Anthony Towns
On Mon, Aug 04, 2003 at 08:56:23AM -0400, Matt Zimmerman wrote: > In making it safe, you are no longer implementing esr's specification. It > will break on nontrivial cases, such as the -remote commands for netscape: > > BROWSER="netscape -raise -remote \"openURL(%s, new-window)\":lynx" Wouldn't

Bug#172436: Security concerns regarding browser proposal

2003-08-04 Thread Matt Zimmerman
On Sun, Aug 03, 2003 at 11:03:21PM -0400, Joey Hess wrote: > Matt Zimmerman wrote: > > It might be a good idea to specify how quoting should be handled, both for > > shell metacharacters and format specifiers. > > Well, it's been discussed several times before, but what the hey, I > guess I can d

Bug#172436: Security concerns regarding browser proposal

2003-08-04 Thread Jakob Bohm
On Sun, Aug 03, 2003 at 07:48:43PM -0400, Matt Zimmerman wrote: > It might be a good idea to specify how quoting should be handled, both for > shell metacharacters and format specifiers. > > >From the existing text, it seems that "command part" means "shell command > part", and it is impossible to

Bug#172436: Security concerns regarding browser proposal

2003-08-03 Thread Matt Zimmerman
On Mon, Aug 04, 2003 at 02:07:26AM +0100, Colin Watson wrote: > On Sun, Aug 03, 2003 at 07:48:43PM -0400, Matt Zimmerman wrote: > > It might be a good idea to specify how quoting should be handled, both for > > shell metacharacters and format specifiers. > > Odd, I thought I'd mentioned > http://

Bug#172436: Security concerns regarding browser proposal

2003-08-03 Thread Joey Hess
Colin Watson wrote: > On Sun, Aug 03, 2003 at 07:48:43PM -0400, Matt Zimmerman wrote: > > It might be a good idea to specify how quoting should be handled, both for > > shell metacharacters and format specifiers. > > Odd, I thought I'd mentioned > http://www.dwheeler.com/browse/secure_browser.html

Bug#172436: Security concerns regarding browser proposal

2003-08-03 Thread Joey Hess
Matt Zimmerman wrote: > It might be a good idea to specify how quoting should be handled, both for > shell metacharacters and format specifiers. Well, it's been discussed several times before, but what the hey, I guess I can discuss it one more time. My browser proposal assumes that sensible-brow

Bug#172436: Security concerns regarding browser proposal

2003-08-03 Thread Colin Watson
On Sun, Aug 03, 2003 at 07:48:43PM -0400, Matt Zimmerman wrote: > It might be a good idea to specify how quoting should be handled, both for > shell metacharacters and format specifiers. Odd, I thought I'd mentioned http://www.dwheeler.com/browse/secure_browser.html in this bug, but evidently not.

Bug#172436: Security concerns regarding browser proposal

2003-08-03 Thread Matt Zimmerman
It might be a good idea to specify how quoting should be handled, both for shell metacharacters and format specifiers. >From the existing text, it seems that "command part" means "shell command part", and it is impossible to implement this securely without specifying a scheme for handling shell me