[Issue 15584] Security issue: symlink attack
via Digitalmars-d-bugs
digitalmars-d-bugs at puremagic.com
Thu Jan 21 18:56:05 PST 2016
https://issues.dlang.org/show_bug.cgi?id=15584
--- Comment #9 from Ketmar Dark <ketmar at ketmar.no-ip.org> ---
(In reply to Cédric Picard from comment #8)
> If anything to bring some consistency. Security issues appart compiling the
> same source code with the same flags and the same files in the folder twice
> ends up with two completely different results.
which, of course, can be caused by many other reasons. like, for example,
remounting (rebinding) output point (which can be caused by some external
condition, of course). so should we check for mount binds? and if we should,
what should be considered "safe"? absense of binds? but why?
that's why i think that such checks curing the symptoms, and of little
importance.
it's not the compiler task to check file pathes, it's a task of tar/git/etc —
the program that was used to unpack the archive. and if the user managed to
create such weird environment... well, it's time time fix the user, not the
compiler. ;-)
btw, aren't creating executables done by "ld"? so it looks like "ld" bug, not
dmd.
> > anyway: let it be of "normal" severity then?
> I leave that point to your discretion. I'm a security guy, every
> vulnerability allowing remote access is critical for me, but it's the
> developper's job to decide whether it fits their security model or not.
i'm not a dmd developer too. ;-) yet while it's surely a security flaw, for me
dmd is the wrong place where one should try to solve it.
--
More information about the Digitalmars-d-bugs
mailing list