[Help-smalltalk] Security Issue VFS

help-smalltalk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-smalltalk] Security Issue VFS

From:	maarten
Subject:	[Help-smalltalk] Security Issue VFS
Date:	Wed, 16 Nov 2011 15:31:40 +0100
User-agent:	Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1


Hello,

Holger Fretyher and I concluded that there's a security issue in theVFSAddOns package.


Code like this:

PackageLoader fileInPackage: 'VFSAddOns'.
((File name: 'dontcare') zip) createDirectory: '; xterm'.

Will not only try to open the zip, but also execute xterm, whichshouldn't be possible.

Now I'm wondering what would be the best way to fix this.

Paolo Bonzini suggested that doing something like:

st> 'abc'';xterm' asFile displayNl
'abc'\'';xterm'

might fix something.

I wonder if this would suffice or if there probably exists somethinglike the execvp system call for gnu-smalltalk?

Also VFSAddOns contained two bugs which made it impossible to use, Ithink I've fixed those now so I'll try to submit those later. Whereshould I do this?

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-smalltalk] Security Issue VFS, maarten <=
- Re: [Help-smalltalk] Security Issue VFS, Paolo Bonzini, 2011/11/16

Prev by Date: [Help-smalltalk] test
Next by Date: Re: [Help-smalltalk] Security Issue VFS
Previous by thread: [Help-smalltalk] test
Next by thread: Re: [Help-smalltalk] Security Issue VFS
Index(es):
- Date
- Thread