[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)
From: |
Foteos Macrides |
Subject: |
Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd) |
Date: |
Tue, 24 Jun 1997 22:02:35 -0500 (EST) |
H E Nelson <address@hidden> wrote:
>> Now, all that said.... the ability to get a shell, or cause lynx to pass
>> arbitrary _user-supplied_input_ to the system() command *is* a 'bad thing',
>> and should be plugged. Refusing to process any strings containing any
>> shell 'special' characters could be a good stat.
>
>Question I have is why it is necessary for Lynx to call `sh' to do a
>`cp'. Wayne said something about doing an exec(). Why can't this be
>done, or is it not any "safer"?
You'll have to ask Lou Montulli why. :) :) The DIRED_SUPPORT
uses a my_spawn() with fork/execv and compulsive quoting, and for VMS
I define system() to a safe substitute. I though that doing the latter
for Unix as well was on Klaus' todo list, but we'll have to track him
down to ask if that's still so. Is he a student who's gone for the
summer? Anyway I'm reasonably confident my mods plug that security
hole for the Unix folks, and expect that Wayne can handle the problem
for DOS/WIN/NT if they have it.
Fote
=========================================================================
Foteos Macrides Worcester Foundation for Biomedical Research
address@hidden 222 Maple Avenue, Shrewsbury, MA 01545
=========================================================================
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), (continued)
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Robert Bonomi, 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Scott McGee (Personal), 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Foteos Macrides, 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Robert Bonomi, 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), H E Nelson, 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Jan Hlavacek, 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), H E Nelson, 1997/06/24
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd),
Foteos Macrides <=
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Alex Lyons A32/373-Winfrith Tel2368 FAX2508, 1997/06/25
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Alex Lyons A32/373-Winfrith Tel2368 FAX2508, 1997/06/25
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Bela Lubkin, 1997/06/26
- Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd), Foteos Macrides, 1997/06/27