KDE 3.1: delayed
Christian.Loose at hamburg.de
Fri Dec 6 09:05:07 GMT 2002
> On Friday 06 December 2002 01:07, Charles Samuels wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > On Thursday 05 December 2002 3:44, Dirk Mueller wrote:
> > > On November 26th, we've been notified by FozZy from the "Hackademy
> > > Audit Project" about security problems in KDE.
> > I'd like to know, out of curiosity's sake, what this problem actually is.
> > Unless there's reason to believe that if you divulge it, people would take
> > advantage of it, that is.
> The idea is that you must properly quote program arguments before passing them
> to a shell if you want to rule out the possibility that they are being
> interpreted as shell commands themselves.
Why don't we make a C++ interface for these problematic functions like popen() or system(), so you can't use them wrong? Otherwise, I think, it will always happen that somebody forgets to properly quote the arguments.
More information about the kde-core-devel