DMD 1.005 release [security concerns about ImportExpressions]
Vladimir Panteleev
thecybershadow at gmail.com
Tue Feb 6 22:30:31 PST 2007
On Tue, 06 Feb 2007 06:54:18 +0200, Walter Bright <newshound at digitalmars.com> wrote:
> http://www.digitalmars.com/d/changelog.html
Hmm. What would prevent someone from writing programs like:
writef(import("/etc/passwd"));
and trick someone to compile this program for them (under the pretext that they don't have a D compiler, for example) to steal the user list (or the contents of any other file with a known absolute or relative path on the victim's system)?
IMO, the compiler should at least issue a warning when importing a file not located in/under the source file's directory. Although, if the source emits a lot of pragma(msg) messages, the warning might get cluttered by those - or this might be concealed in a large program with a lot of files. A better security-wise solution is to disallow importing files outside the source file's directory, unless specified by the user on the command-line.
--
Best regards,
Vladimir mailto:thecybershadow at gmail.com
More information about the Digitalmars-d-announce
mailing list