cairo-dock-team team mailing list archive

[Fabounet <925632@xxxxxxxxxxxxxxxxxx>]

Fixed with commit 789a155418ef441f5d0a200272328aba2ef8b631 from Matttbe,
we still use the obnoxious system() but at least it's safe!

** Changed in: cairo-dock-core
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Cairo-
Dock Devs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/925632

Title:
  cairo-dock uses system() with unfiltered strings, allowing to run any
  command

Status in Cairo-Dock Core:
  Fix Released

Bug description:
  Cairo-dock-core uses system() in many places, inproperly, on not filtered/not escaped strings.
  For example cairo-dock-themes-manager.c has zillions of examples of such misuse.

  for example:
  g_string_printf (sCommand, "rm -rf \"%s/%s\"", g_cThemesDirPath, cThemeName);

  if cThemeName is  "\"; whoami; \"", it would execute the 'whoami'
  command.

  Never assume paths contain only "nice" characters!
  Never assume (almost) any string that is not set explicitively to contain only "nice" characters!

  This allows to run any command, even malicious, or, if you are lucky,
  the shell can produces just a warning about wrong syntax (depending on
  what's fed to system().

  Consider using a function that does not invoke shell or copy/remove
  files without using external commands (when appropriate - system() is
  used for many tasks); or use g_shell_quote - it will probably do the
  job, too.

  I consider the "I can run any command without any control" a security
  vulnerability and I am marking it as such. Let alone that unintended
  files can be removed or whatever...

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cairo-dock-core/+bug/925632/+subscriptions