Geir Torstein Kristiansen wrote:
>
> I *really* don't like the way blackbox runs arbitrary shell commands in
> themes.
>
> There should be a standard way to set backgrounds that doesn't involve
> the shell commands.
>
> Exploit:
>
> Malicous themes could contain nasty commands like: rootCommand: rm -rf
> $HOME and the like.
>
> Imagine if blackbox is run as root, and you have a theme that contains
> stuff like rootCommand: echo
> "root:crypt-password:0:0:root:/root:/bin/bash" >>/etc/passwd; bsetroot
> <normal stuff>
>
> And they wouldn't know what hit'em because everything will appear
> normal, and the bg will be set.
>
> Note that I haven't bothered to test these.
It's gone about one week now since I asked this question on the list. I
am wondering if the blackbox developers have anything to say about this.
Is this something that is on your TODO list for future blackbox versions
or is it something that you don't care about at all?
__ __
___ _/ /_/ /__
/ _ `/ __/ '_/
\_, /\__/_/\_\ Geir Torstein Kristiansen
/___/--------------------------------------
