Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 13 Dec 2012 16:51:15 +0100
From: Peter Bex <>
Subject: Re: Geany IDE not escaping filenames during compilation / build - a security issue or not?

On Thu, Dec 13, 2012 at 08:42:51AM -0700, Kurt Seifried wrote:
> On 12/13/2012 04:12 AM, Simon McVittie wrote:
> > If shell syntax is not specifically needed, it would be even better
> > to use a mechanism not involving parsing shell syntax, like
> > posix_spawn(), GLib's g_spawn_async() or Python's os.spawn* family,
> > to launch the compiler (analogous to using prepared statements to
> > avoid ever having to think about SQL escaping or SQL injection).
> If anyone knows similar functions/etc for other programming languages
> please let me know off list so I can compile a list of these and then
> post them for future reference. Thanks!

Chicken Scheme ( has multi-argument versions of the
process family of procedures which map to the exec() family.
These are a bit tricky, since the one-argument versions fall back to
system()-like functionality.  I consider this dangerous.

There's also the scsh-process egg, which is much more fool-proof:
It's modeled after SCSH, the Scheme Shell.  A few other Scheme
implementations (at least Guile and Scheme48 iirc) also have a version
of this safe notation.

Peter Bex
"The process of preparing programs for a digital computer
 is especially attractive, not only because it can be economically
 and scientifically rewarding, but also because it can be an aesthetic
 experience much like composing poetry or music."
							-- Donald Knuth

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.