Open liamzee opened 6 months ago
liamzee
commented
6 months ago I got a confirmation from the maintainer that there was a security hole between 3.4 and 3.18.
"It was only a problem on unix systems if the programmer was using quotes, double quotes or grave accents (reversed quote) in the title or message in the dialogs. ( at the time, there was instructions not to do that ). Just replace the old file by the latest one v3.18 from sourceforge, the API is the same."
vareille
commented
6 months ago Just to clarify: It is not a vulnerability that can be abused by a end user. It was a non obvious trap where, in some case, the content of the message or title was partially executed as shell command. For sure a problem, probably puzzling for the programmer, but not a vulnerability that can be exploited by a user. It was remedied around version 3.6 for ' and " . But the issue with the grave accent was discovered later and solved in v3.17
IIRC, the tinyfiledialogs version used as a basis is now considered obsolete and dangerous due to known security holes.
Are there any attempts to update this? Because this is one of the simplest and easier GUI apps in Haskell, and I enjoyed using it very much.
If you don't want to maintain it, could we take this into Haskell Github Trust?