cairo-dock-team team mailing list archive

[Sławomir Nizio <925632@xxxxxxxxxxxxxxxxxx>]

I was going to joke about a "quick fix" but I can see that the commit is
from 2012. Which ruins my joke but still, thanks!

-- 
You received this bug notification because you are a member of Cairo-
Dock Devs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/925632

Title:
  cairo-dock uses system() with unfiltered strings, allowing to run any
  command

Status in Cairo-Dock Core:
  Fix Released

Bug description:
  Cairo-dock-core uses system() in many places, inproperly, on not filtered/not escaped strings.
  For example cairo-dock-themes-manager.c has zillions of examples of such misuse.

  for example:
  g_string_printf (sCommand, "rm -rf \"%s/%s\"", g_cThemesDirPath, cThemeName);

  if cThemeName is  "\"; whoami; \"", it would execute the 'whoami'
  command.

  Never assume paths contain only "nice" characters!
  Never assume (almost) any string that is not set explicitively to contain only "nice" characters!

  This allows to run any command, even malicious, or, if you are lucky,
  the shell can produces just a warning about wrong syntax (depending on
  what's fed to system().

  Consider using a function that does not invoke shell or copy/remove
  files without using external commands (when appropriate - system() is
  used for many tasks); or use g_shell_quote - it will probably do the
  job, too.

  I consider the "I can run any command without any control" a security
  vulnerability and I am marking it as such. Let alone that unintended
  files can be removed or whatever...

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cairo-dock-core/+bug/925632/+subscriptions