[mira_talk] Re: Bug when the mira executable is in a directory with a space character in the name
- From: Sidney Markowitz <sidney@xxxxxxxxxxxxxx>
- To: mira_talk@xxxxxxxxxxxxx
- Date: Tue, 18 Feb 2014 23:16:20 +1300
Bastien Chevreux wrote, On 2/18/14 10:54 PM:
> Good, I'll add that to the code base. But remember the first rule of a
> developer: users are never reasonable. E.g.: "/somewhere/I'm gonna earn lotsa
> $$$ & get rich/mira/" :-)
If you want to go to the effort of handling the unreasonable user, the
alternative I was thinking of trying is to instead of calling system on the
entire command string, use fork(), one of the execv family of calls, and
wait() to get the same result without any shell parsing of the string.
If there were any chance of an attacker having control of the path of the file
being executed then that would be necessary to prevent evil things from being
done with code injection into the shell command. But in this case I don't mind
a user having the ability to configure their own machines with that
unreasonable path and giving themselves unreasonable results.
Sidney
--
You have received this mail because you are subscribed to the mira_talk mailing
list. For information on how to subscribe or unsubscribe, please visit
http://www.chevreux.org/mira_mailinglists.html
Other related posts:
