tinderbox system() calls, security

RESOLVED FIXED in Future

Status

Webtools Graveyard
Tinderbox
--
blocker
RESOLVED FIXED
17 years ago
4 years ago

People

(Reporter: zach, Assigned: Chris McAfee)

Tracking

Details

(Reporter)

Description

17 years ago
It appears that tinderbox has a security hole. Several times, we use 
system() calls to call scripts with args, this is a Bad Thing (tm). We should 
use the argument form of system() or replace the .pl scripts with .pm's 
and call them with use. I talked to dmose on irc about this, and it appears 
real (though I wouldn't bet my life on it). Anyway, if it isn't, it doesn't really 
matter.
(Assignee)

Comment 1

17 years ago
tinderbox client or server?
Can you point out a specific example?
Target Milestone: --- → Future

Comment 2

17 years ago
i'd suspect server since the client isn't web interactive
(Assignee)

Comment 3

17 years ago
switched to arg form of system call for all system() calls
in the server that made sense.  marking fixed.

Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.