Subject: fvwm security issue
Newsgroups: gmane.comp.window-managers.fvwm.devel
Date: 2006-11-10 14:24:25 GMT (2 years, 33 weeks, 5 days, 3 hours and 5 minutes ago)
Hi there, we were discussing security in the irc channel today and I noticed that the security bug a few years ago in fvwm-menu-directory hasnt been completely solved: $ mkdir ' > > Exec xmessage -timeout 2 Oops > ' $ fvwm-menu-directory --dir=`pwd` DestroyMenu recreate "/home/taviso/tmp/t" AddToMenu "/home/taviso/tmp/t" + DynamicPopDownAction DestroyMenu "/home/taviso/tmp/t" + MissingSubmenuFunction FuncFvwmMenuDirectory + "/home/taviso/tmp/t" Exec cd "/home/taviso/tmp/t"; xterm -e /bin/bash + "" Nop + " Exec xmessage -timeout 2 Oops " Popup "/home/taviso/tmp/t/ Exec xmessage -timeout 2 Oops " item +100 c it looks like evalFolderLine() uses escapeFvwmName() rather than escapeFileName() on directory names (sorry, not a perl programmer :)), should this be changed? Thanks, Tavis. -- ------------------------------------- taviso <at> sdf.lonestar.org | finger me for my pgp key. -------------------------------------------------------