[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-smalltalk] Security Issue VFS
From: |
maarten |
Subject: |
[Help-smalltalk] Security Issue VFS |
Date: |
Wed, 16 Nov 2011 15:31:40 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 |
Hello,
Holger Fretyher and I concluded that there's a security issue in the
VFSAddOns package.
Code like this:
PackageLoader fileInPackage: 'VFSAddOns'.
((File name: 'dontcare') zip) createDirectory: '; xterm'.
Will not only try to open the zip, but also execute xterm, which
shouldn't be possible.
Now I'm wondering what would be the best way to fix this.
Paolo Bonzini suggested that doing something like:
st> 'abc'';xterm' asFile displayNl
'abc'\'';xterm'
might fix something.
I wonder if this would suffice or if there probably exists something
like the execvp system call for gnu-smalltalk?
Also VFSAddOns contained two bugs which made it impossible to use, I
think I've fixed those now so I'll try to submit those later. Where
should I do this?
- [Help-smalltalk] Security Issue VFS,
maarten <=