https://bugzilla.novell.com/show_bug.cgi?id=641915
https://bugzilla.novell.com/show_bug.cgi?id=641915#c0 Summary: Security hole: Mono should not search current directory for DLLs Classification: Mono Product: Mono: Runtime Version: 2.6.x Platform: Macintosh OS/Version: Mac OS X 10.6 Status: NEW Severity: Normal Priority: P5 - None Component: misc AssignedTo: [email protected] ReportedBy: [email protected] QAContact: [email protected] Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-us) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5 http://www.mono-project.com/DllNotFoundException explains that the mono runtime searches the current working directory for DLLs. This opens a serious security hole. Malicious code can be given the same name as a DLL and left in a directory the user might visit. Also, it means that no mono application can safely set the current working directory. Microsoft themselves addressed this issue in Windows http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx It's a well known "dummies" question for Unix why you must not have "." on your path http://www.unix.com/unix-dummies-questions-answers/22806-why-bad-idea-insert-dot-path.html Mono is exposing users to these same old hat problems. (As a related problem, many mono programs seem to *assume* that they will be run with the CWD set to their installed directory, and break if it isn't.) Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug. You are the assignee for the bug. _______________________________________________ mono-bugs maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-bugs
