Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Tavis Ormandy <taviso <at> sdf.lonestar.org>
Subject: fvwm security issue
Newsgroups: gmane.comp.window-managers.fvwm.devel
Date: Friday 10th November 2006 14:24:25 UTC (over 10 years ago)
Hi there, we were discussing security in the irc channel today and I
noticed that the security bug a few years ago in fvwm-menu-directory
hasnt been completely solved:

$ mkdir '
> 
> Exec xmessage -timeout 2 Oops
> '
$ fvwm-menu-directory --dir=`pwd`
DestroyMenu recreate "/home/taviso/tmp/t"
AddToMenu "/home/taviso/tmp/t"
+ DynamicPopDownAction DestroyMenu "/home/taviso/tmp/t"
+ MissingSubmenuFunction FuncFvwmMenuDirectory
+ "/home/taviso/tmp/t" Exec cd "/home/taviso/tmp/t"; xterm -e /bin/bash
+ "" Nop
+ "  Exec xmessage -timeout 2 Oops " Popup "/home/taviso/tmp/t/

Exec xmessage -timeout 2 Oops
" item +100 c

it looks like evalFolderLine() uses escapeFvwmName() rather than
escapeFileName() on directory names (sorry, not a perl programmer :)),
should this be changed?

Thanks, Tavis.

-- 
-------------------------------------
[email protected] | finger me for my pgp key.
-------------------------------------------------------
 
CD: 3ms