-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use full path of cmd.exe #136
Conversation
This patch prevents running cmd.exe from the working directory, which may be attacker-controlled. It fixes CVE-2019-17664.
Hi @jeff5, does this PR look good to you? Let me know if there’s anything I need to do to get this merged. Thank you. |
This looks right to me, but I shall download and verify. I think resolving the symbol |
@xiaoyinl : Was there a reason for not using On my machine |
@jeff5 I didn't use Do you want to fall back to |
I think I would assume I have a couple of changes to push onto this PR, so don't change just yet. |
Also, line wrap at 100.
@xiaoyinl : If you now pull from your PR branch you will have the the merge I made from the development tip on which you can try the When you're done, I'll squash and merge. |
@jeff5 I have made the change, and tested it: with this PR applied, |
@xiaoyinl : thanks for your collaboration on this. As it is relatively minor and follows the proposals on NationalSecurityAgency/ghidra#107, we can manage without the PSF contributor agreement this time. |
This follows jython#136, fixing the same problem in other places before anyone raises another CVE. Unfortunately, with a security manager in play, one cannot always look up ComSpec, and a soft-fail to the hard-coded location becomes worthwhile (full path, not cmd.exe).
This patch prevents running cmd.exe from the working directory, which may be attacker-controlled. It fixes CVE-2019-17664.
Related discussion on Ghidra: NationalSecurityAgency/ghidra#107