DMD 1.005 release [security concerns about ImportExpressions]
Andy Knowles
nole_z at hotmail.com
Wed Feb 7 00:37:19 PST 2007
"Hasan Aljudy" <hasan.aljudy at gmail.com> wrote in message
news:eqbu2l$1s7t$1 at digitaldaemon.com...
>
>
> Vladimir Panteleev wrote:
>> On Tue, 06 Feb 2007 06:54:18 +0200, Walter Bright
>> <newshound at digitalmars.com> wrote:
>>
>>> http://www.digitalmars.com/d/changelog.html
>>
>> Hmm. What would prevent someone from writing programs like:
>> writef(import("/etc/passwd"));
>> and trick someone to compile this program for them (under the pretext
>> that they don't have a D compiler, for example) to steal the user list
>> (or the contents of any other file with a known absolute or relative path
>> on the victim's system)?
>>
>> IMO, the compiler should at least issue a warning when importing a file
>> not located in/under the source file's directory. Although, if the source
>> emits a lot of pragma(msg) messages, the warning might get cluttered by
>> those - or this might be concealed in a large program with a lot of
>> files. A better security-wise solution is to disallow importing files
>> outside the source file's directory, unless specified by the user on the
>> command-line.
>>
>
> Well, theoretically nothing prevents someone from writing a virus in C++
> and trick someone to compile and run it.
But you don't need them to run Vladimir's example, just compile it. They
send you back the compiled program ("Thanks for compiling it for me!") and
you run it. The passwords are imbedded in the binary. C++ can't do this
quite as easily.
More information about the Digitalmars-d-announce
mailing list