> The issue isn't what it would do for Java, but having a widely deployed
> snprintf() past BSD4.4 platforms would help other security-conscious code.
I've come to the conclusion that "system()" and "popen()" should be removed
from the standard library, and replaced with something like this:
int spawnv(in, out, path, av)
FILE *in, *out;
char *path;
char **av;
{
int pid;
if(out) fflush(out);
fflush(stdout);
switch(pid = fork())) {
case -1: return -1;
case 0:
if(in) dup2(0, fileno(in));
if(out) dup2(1, fileno(out));
/* code in here to purify the environment
and other security stuff */
execvp(path, av, secure_environment);
exit(-errno);
default:
return pid;
}
}
... with spawnl/spawnve/spawnle/... and something that works like popen
but takes spawn arguments...
fp = pipewl("/usr/sbin/sendmail", "sendmail", victim, NULL);
...
fp = piperl("/usr/bin/finger", "finger", victim, NULL);
This would be enough easier than raw fork/exec to keep people from wanting
to put "-linsecure" on the linker line, while being complete enough to
cover all the cases you need system()/popen(). You could put gets() in there
as well, and sprintf, and so on...
Interpreters that provide a hook to popen (like Tcl, "open |....") should
also provide an alternate mechanism. Tcl has a good safe exec but you can't
safely open a pipe...
References:
|
|
