Conversation

Notices

1. kaniini (kaniini@mastodon.dereferenced.org)'s status on Tuesday, 09-Jan-2018 18:06:08 EST kaniini

   I broke Go. I don't feel bad. They should have understood that "POSIX shell fragments" means "POSIX shell fragments," not "\ is used to escape spaces".

   https://go-review.googlesource.com/c/go/+/86541

   1. kaniini (kaniini@mastodon.dereferenced.org)'s status on Tuesday, 09-Jan-2018 18:07:20 EST kaniini

      in reply to

      By the way this is actually a security bug, but exploitation is left to the audience.

      1. kaniini (kaniini@mastodon.dereferenced.org)'s status on Tuesday, 09-Jan-2018 18:22:41 EST kaniini

         in reply to

         This is why libpkgconf exists.

         Programming languages and compilers should NOT be parsing untrusted input (such as the output from pkgconf).

         Instead, compilers should verify the fragment list generated by libpkgconf and use that to reassemble the shell fragments after verifying they are sane.

         Again, this is the whole point of why libpkgconf is a thing.

         1. kaniini (kaniini@mastodon.dereferenced.org)'s status on Tuesday, 09-Jan-2018 18:36:04 EST kaniini

            in reply to

            I explain in more detail here: https://go-review.googlesource.com/c/go/+/86541#message-71f1fc110da19b4813bd2b1a5a1c5eb1d95f87a3

            If you're writing a compiler and working with .pc files, you should really use libpkgconf.