Re: xpdf vulnerability - CAN-2003-0434

Andries.Brouwer_at_cwi.nl
Date: 07/09/03

  • Next message: Goetz Bock: "Re: PalmOS Memo Record Hiding Vulnerability."
    Date: Wed, 9 Jul 2003 22:36:40 +0200 (MEST)
    To: Andries.Brouwer@cwi.nl, shalunov@internet2.edu
    
    

    >> A urlCommand like the default "netscape -remote 'openURL(%s)'"
    >> is OK since the %s is protected by single quotes.

    > How so? Consider an argument of
    > '`rm -rf /tmp/test`'

    xpdf already filters out single and double quotes, so
    these do not occur in arguments.


  • Next message: Goetz Bock: "Re: PalmOS Memo Record Hiding Vulnerability."