[16416] in bugtraq
Re: MDKSA-2000:039 - xchat update (xchat-1.4.2-nourltoshell.patch)
daemon@ATHENA.MIT.EDU (Anthony Fok)
Mon Aug 28 12:46:37 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="azLHFNyN32YCQGCU"
Message-ID: <20000826033314.D15071@lovelife.olvc.ab.ca>
Date: Sat, 26 Aug 2000 03:33:14 -0600
Reply-To: Anthony Fok <foka@DEBIAN.ORG>
From: Anthony Fok <foka@DEBIAN.ORG>
X-To: Decklin Foster <decklin@red-bean.com>, xchat-discuss@nl.linux.org
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000826033358.B12391@photek.dhs.org>; from decklin@red-bean.com
on Sat, Aug 26, 2000 at 03:33:58AM -0400
--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=us-ascii
On Sat, Aug 26, 2000 at 03:33:58AM -0400, Decklin Foster wrote:
> Joey Hess writes:
> > Actually it is. The "netscape (existing)" and "netscape (new window)"
> > menu entries are safe,
> Actually they're vulnerable too.
>
> http://drugs.org/just/say/'`yes`'
>
> The rule just puts openURL(%s) in single quotes, which can easily be
> broken out of as in the above pseudo-URL.
>
> I'm arguing for the use of execvp instead on the xchat mailing list,
> we'll see how this goes. It's 3:30 AM and I won't be able to write any
> code for it until tomorrow.
Hehe, a friend and Debian developer-to-be "Saka" YU Guanghui pointed
out an article on http://lwn.net/daily/. It turns out that Conectiva
has already put out a patch for it, and it uses execvp instead of
gnome-lib. :-) Here is the link:
http://lwn.net/daily/con-xchat.php3
And I have attach the patch in this message. Hope this helps! :-)
Anthony
P.S. Conectiva's web site is at http://www.conectiva.com.br/.
They have some other patches too, one of which I didn't quite
understand (because I don't know GNOME). :-) It does include
the up-to-date potfiles translations for es_ES and pt_BR,
so if anyone is interested, include them. :-)
All in all, I am quite impressed by Conectiva's package.
--
Anthony Fok Tung-Ling Civil and Environmental Engineering
foka@ualberta.ca, foka@debian.org University of Alberta, Canada
Debian Chinese Project -- http://www.debian.org/international/chinese/
Come visit Our Lady of Victory Camp -- http://www.olvc.ab.ca/
--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="xchat-1.4.2-nourltoshell.patch"
diff -uNr xchat-1.4.2.orig/src/common/xchat.c xchat-1.4.2/src/common/xchat.c
--- xchat-1.4.2.orig/src/common/xchat.c Fri Feb 25 09:08:19 2000
+++ xchat-1.4.2/src/common/xchat.c Thu Aug 24 16:45:09 2000
@@ -1045,6 +1045,31 @@
return 1; /* keep the timeout handler */
}
+
+void
+my_system_noshell (char *cmd)
+{
+ int pid;
+ char **argv;
+ int argc;
+
+ if (poptParseArgvString (cmd, &argc, &argv) != 0) {
+ g_warning ("Can't parse command '%s'", cmd);
+ return;
+ }
+
+ pid = fork ();
+ if (pid == -1)
+ return;
+ if (pid == 0)
+ {
+ execvp (argv[0], argv);
+ _exit(0);
+ } else
+ fe_timeout_add (1000, child_handler, (void *)pid);
+}
+
+
void
my_system (char *cmd)
{
diff -uNr xchat-1.4.2.orig/src/fe-gtk/menu.c xchat-1.4.2/src/fe-gtk/menu.c
--- xchat-1.4.2.orig/src/fe-gtk/menu.c Thu Feb 10 09:19:57 2000
+++ xchat-1.4.2/src/fe-gtk/menu.c Thu Aug 24 16:45:17 2000
@@ -46,6 +46,7 @@
extern void palette_save (void);
extern void search_open (session *sess);
extern void my_system (char *cmd);
+extern void my_system_noshell (char *cmd);
extern void show_and_unfocus (GtkWidget * wid);
extern char *default_file (void);
extern void menu_about (GtkWidget * wid, gpointer sess);
@@ -99,7 +100,7 @@
char tbuf[256];
snprintf (tbuf, sizeof tbuf,
"netscape -remote 'openURL(%s)'", url);
- my_system (tbuf);
+ my_system_noshell (tbuf);
#endif
}
@@ -109,7 +110,7 @@
nick_command (session *sess, char *cmd)
{
if (*cmd == '!')
- my_system (cmd + 1);
+ my_system_noshell (cmd + 1);
else
handle_command (cmd, sess, FALSE, FALSE);
}
--azLHFNyN32YCQGCU--
