Heitor Ricardo Alves de Siqueira <hal...@linux.vnet.ibm.com> writes: > The functions for viewing log files in iprconfig used a number of system() > calls > to display information to the user. This commit rewrites the log viewing > system > with more secure fork()/exec() calls. The log info is displayed to the user > through the "less" pager, with the environment variable LESSSECURE set to 1 to > prevent arbitrary command execution during log inspection.
Hey, I think you really should follow a different path here. The point is not that system() is less secure than fork, it is not, but the fact that right now we can have arbitrary code injected in our calls. Your code does improve that in some places, but what we really should do is replace most of these shell hacks with some real C code. We we should avoid calling sed, grep, zcat, or whatever. For instance, the sed you used for grepping can be easily replaced with a for loop that goes through the file and filters out lines that don't have 'ipr'. We can, however, spawn the editor to display the log with execve(), system(), or whatever, it doesn't really matter how. Thanks, -- Gabriel Krisman Bertazi ------------------------------------------------------------------------------ Go from Idea to Many App Stores Faster with Intel(R) XDK Give your users amazing mobile app experiences with Intel(R) XDK. Use one codebase in this all-in-one HTML5 development environment. Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140 _______________________________________________ Iprdd-devel mailing list Iprdd-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/iprdd-devel
