CVE-Hunter-Leo left a comment (geany/geany#4611) @WrapEarnPass
Thanks for the detailed analysis and for thinking about the bigger picture. I agree that scattering `g_shell_quote()` calls everywhere is not ideal, and having a central `GeanyFile` abstraction that separates the display name from the real (shell-safe) name sounds like a much cleaner long-term solution. It would also benefit plugins and other parts of the codebase. A few questions so I can better understand the direction: 1. Would you prefer to work toward this larger `GeanyFile` refactor, or would you like a more targeted fix first to address the immediate shell injection vectors (especially via project files and the run script)? 2. If we go for the larger refactor, do you think it makes sense to still request a CVE for the current behaviour in the meantime (since it is exploitable today)? I'm happy to help with testing, providing additional PoCs, or checking specific code paths if it would be useful. Just let me know how you'd like to proceed. Thanks again for looking into this. -- Reply to this email directly or view it on GitHub: https://github.com/geany/geany/issues/4611#issuecomment-4878036463 You are receiving this because you are subscribed to this thread. Message ID: <geany/geany/issues/4611/[email protected]>
