11 Apr
2007
11 Apr
'07
1:28 a.m.
On Tue, Apr 10, 2007 at 05:35:46PM -0700, Kees Cook wrote:
However, I much more recommend using arrays for doing execution, since that forces the right arguments and stops any kind of shell expansion.
BTW, after digging around and finding the code in extension/implementation/script.cpp, and seeing the "pipe_t" class, this whole infrastructure needs o be replaced with g_spawn_async_with_pipes() and the usage of arrays for execution instead of strings. This should reduce the size of the code, make it much easier to maintain, and end up being much much safer.
--
Kees Cook @outflux.net