Hello Andreas,

> I see that my patch [1] was overlooked and then [2] was written the next 
> day. It introduces at least 2 new code executions vulnerabilities 
> relating to filenames containing $(..).

Indeed, the gnulib module 'sh-quote' [1] can help to avoid misquoting in
shell command-lines.

Additionally, the gnulib module 'execute' [2] ensures portability to Windows,
since it replaces the uses of 'fork()'.

Bruno

[1] https://www.gnu.org/software/gnulib/MODULES.html#module=sh-quote
[2] https://www.gnu.org/software/gnulib/MODULES.html#module=execute


Reply via email to