CVE-Hunter-Leo left a comment (geany/geany#4611)

@WrapEarnPass 

Thanks for the detailed analysis and for thinking about the bigger picture.

I agree that scattering `g_shell_quote()` calls everywhere is not ideal, and 
having a central `GeanyFile` abstraction that separates the display name from 
the real (shell-safe) name sounds like a much cleaner long-term solution. It 
would also benefit plugins and other parts of the codebase.

A few questions so I can better understand the direction:

1. Would you prefer to work toward this larger `GeanyFile` refactor, or would 
you like a more targeted fix first to address the immediate shell injection 
vectors (especially via project files and the run script)?

2. If we go for the larger refactor, do you think it makes sense to still 
request a CVE for the current behaviour in the meantime (since it is 
exploitable today)?

I'm happy to help with testing, providing additional PoCs, or checking specific 
code paths if it would be useful. Just let me know how you'd like to proceed. 
Thanks again for looking into this.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany/issues/4611#issuecomment-4878036463
You are receiving this because you are subscribed to this thread.

Message ID: <geany/geany/issues/4611/[email protected]>

Reply via email to