On Fri, 14 Jul 2017 18:47:05 +0200, Natanael Copa wrote: > > As suggested in POSIX[1], wordexp might execute the shell. If the libc > implementation does so, it will break the firefox sandbox which does > not allow exec. This happened on Alpine Linux with musl libc[2]. > > Since we cannot guarantee that the system wordexp implementation does > not execute shell, we cannot really use it, and need to implement the > ~/ expansion ourselves. > > We provide a configure option --with-wordexp for users that still may > need it, but we leave this off by default because wordexp is a large > large attack vector and it is better to avoid it. > > [1]: http://pubs.opengroup.org/onlinepubs/9699919799/functions/wordexp.html#tag_16_684_08 > [2]: http://bugs.alpinelinux.org/issues/7454#note-2 > > Signed-off-by: Natanael Copa <ncopa@xxxxxxxxxxxxxxx> > --- > changes v2: > - add configure option to enable old behaviour which uses wordexp. > this is off by default. > > I was not sure if I should use --with-wordexp or --enable-wordexp but > went with --with-wordexp similar to --with-softfloat. That's OK, a matter of taste. Applied now as is. Thanks. Takashi _______________________________________________ Alsa-devel mailing list Alsa-devel@xxxxxxxxxxxxxxxx http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
