OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: MDKSA-2000:039 - xchat update (xchat-1.4.2-nourltoshell.patch)
From: Anthony Fok (fokaDEBIAN.ORG)
Date: Sat Aug 26 2000 - 04:33:14 CDT

On Sat, Aug 26, 2000 at 03:33:58AM -0400, Decklin Foster wrote:
> Joey Hess writes:
> > Actually it is. The "netscape (existing)" and "netscape (new window)"
> > menu entries are safe,
> Actually they're vulnerable too.
>
> http://drugs.org/just/say/'`yes`'
>
> The rule just puts openURL(%s) in single quotes, which can easily be
> broken out of as in the above pseudo-URL.
>
> I'm arguing for the use of execvp instead on the xchat mailing list,
> we'll see how this goes. It's 3:30 AM and I won't be able to write any
> code for it until tomorrow.

Hehe, a friend and Debian developer-to-be "Saka" YU Guanghui pointed
out an article on http://lwn.net/daily/. It turns out that Conectiva
has already put out a patch for it, and it uses execvp instead of
gnome-lib. :-) Here is the link:

        http://lwn.net/daily/con-xchat.php3

And I have attach the patch in this message. Hope this helps! :-)

Anthony

P.S. Conectiva's web site is at http://www.conectiva.com.br/.
      They have some other patches too, one of which I didn't quite
      understand (because I don't know GNOME). :-) It does include
      the up-to-date potfiles translations for es_ES and pt_BR,
      so if anyone is interested, include them. :-)
      All in all, I am quite impressed by Conectiva's package. 

--
Anthony Fok Tung-Ling                Civil and Environmental Engineering
fokaualberta.ca, fokadebian.org    University of Alberta, Canada
Debian Chinese Project -- http://www.debian.org/international/chinese/
Come visit Our Lady of Victory Camp -- http://www.olvc.ab.ca/