Comment 16 for bug 1520691
Revision history for this message
| edso (ed.so) wrote Re: [Duplicity-team] [Bug 1520691] Re: Shell Code Injection in hsi backend | #16 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
On 30.11.2015 20:34, Bernd Dietzel wrote:
> @edso
> This depends on the program witch we call.
> We can not check all of the possible parameter combinations if they lead to a leak.
> So we do not want to have the arguments out of our hands.
well, most (if not all) legacy command lines start with a word, so parameter issues sound merely academic from a security point of view.
having written that i realise, there might be corner cases leading to sensitive files read/overwritten files when run as root, when the client binary fails to parse params correctly, that might be worth the effort to manually patch each and every backend affected.
> @Kenneth
> Why do we put the commands into a long string and afterwards "hopefully" spilt them again ?
> We should put them directly into a commandlist at the point we still know what was what.
> This would make it easy again ;-)
>
there is the "ominous" we agn. ;) patching every backend is a lot of effort and some "ominous" somebody needs to find the time to hack the solution. are you volunteering?
..ede/duply.net