cairo-dock-team team mailing list archive

[Matthieu Baerts <matttbe@xxxxxxxxx>]

Thank you for this interesting bug report!

@Fabounet: can you have a look at this?

** Changed in: cairo-dock-core
   Importance: Undecided => Critical

** Changed in: cairo-dock-core
       Status: New => Confirmed

** Changed in: cairo-dock-core
     Assignee: (unassigned) => Fabounet (fabounet03)

-- 
You received this bug notification because you are a member of Cairo-
Dock Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/925632

Title:
  cairo-dock uses system() with unfiltered strings, allowing to run any
  command

Status in Cairo-Dock : Core:
  Confirmed

Bug description:
  Cairo-dock-core uses system() in many places, inproperly, on not filtered/not escaped strings.
  For example cairo-dock-themes-manager.c has zillions of examples of such misuse.

  for example:
  g_string_printf (sCommand, "rm -rf \"%s/%s\"", g_cThemesDirPath, cThemeName);

  if cThemeName is  "\"; whoami; \"", it would execute the 'whoami'
  command.

  Never assume paths contain only "nice" characters!
  Never assume (almost) any string that is not set explicitively to contain only "nice" characters!

  This allows to run any command, even malicious, or, if you are lucky,
  the shell can produces just a warning about wrong syntax (depending on
  what's fed to system().

  Consider using a function that does not invoke shell or copy/remove
  files without using external commands (when appropriate - system() is
  used for many tasks); or use g_shell_quote - it will probably do the
  job, too.

  I consider the "I can run any command without any control" a security
  vulnerability and I am marking it as such. Let alone that unintended
  files can be removed or whatever...

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cairo-dock-core/+bug/925632/+subscriptions