TAF Updater On Linux Shouldn't Try To Execute #73
Labels
bug
Something isn't working
Comments
|
Don't see how it is a security problem, no program loader would succeed in loading a tar.gz . Is the execute bit even set? |
|
It's only a security problem in the broad sense of "trying to execute something that's supposed to purely be data is a bad practice." The theoretical problem would be someone hijacking the domain for TAF and putting something malicious in that says it's .tar.gz. |
|
Then they could also replace the insides and have the malicous code there
too. Unless it was crypthographically signed that is just a reality of
life. I dont think we can expect overengineered perfection.
…On Tue, 9 Apr 2024, 00:06 Daniel Wilkins, ***@***.***> wrote:
It's only a security problem in the broad sense of "trying to execute
something that's supposed to purely be data is a bad practice." The
theoretical problem would be someone hijacking the domain for TAF and
putting something malicious in that *says* it's .tar.gz.
—
Reply to this email directly, view it on GitHub
<#73 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAPUKOVALDHLLM3EPQOG3R3Y4MIGVAVCNFSM6AAAAABFULPKY6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBTG4YTSNJVGY>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When a TAF update is available, TAF does the right thing by downloading the unix client, however the code after that assumes that the download is only for windows and attempts to run it like an executable:
I'm not sure if there's already code to untar archives in the codebase, but at the very least it's a security problem for it to be trying to execute a file which is just data.
The text was updated successfully, but these errors were encountered: