leoshaw / rubyripper

Automatically exported from code.google.com/p/rubyripper
0 stars 0 forks source link

Security issue in command invocation #578

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
On the stable branch, the use of popen() to run terminal commands constructed 
from user (or freedb) input is a security issue.

From my brief perusal of HEAD, it may also be an issue with PTY.spawn().

The solution I've come up with is to pass commands directly to subprocesses' 
ARGV using popen. The method I've used to split the command line into tokens is 
a total hack, but seems to be functional.

In my mind, a better solution would be to construct commands as an array of 
arguments rather than a string, and pass this array directly to popen (also 
avoiding use of the terminal).

My patch against the stable branch is attached.

Original issue reported on code.google.com by sc...@sl.id.au on 18 Aug 2013 at 12:54

Attachments: