fedora 24
shell weakness #30

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

oiio-Release-1.6.16/src/libutil/filesystem.cpp

Context:

The highlighted line of code below is the trigger point of this particular Fedora 24 shell weakness.

 #endif
    } catch (...) {
        r = false;
    }
    return r;
}



bool
Filesystem::create_directory (string_view path, std::string &err)
{

#if defined(_WIN32)
	// boost internally doesn't use MultiByteToWideChar (CP_UTF8,...
	// to convert char* to wchar_t* because they do not know the encoding
	// See boost::filesystem::path.hpp 
	// The only correct way to do this is to do the conversion ourselves
	std::wstring pathStr = Strutil::utf8_to_utf16(path);
#else
	std::string pathStr = path.str();
#endif

#if BOOST_FILESYSTEM_VERSION >= 3
    boost::system::error_code ec;
	bool ok = boost::filesystem::create_directory (pathStr, ec);
    if (ok)
        err.clear();
    else
        err = ec.message();
    return ok;
#else
    bool ok = boost::filesystem::create_directory (pathStr);
    if (ok)
        err.clear();
    else
        err = "Could not make directory";
    return ok;
#endif
}


bool
Filesystem::copy (string_view from, string_view to, std::string &err)
{
#if defined(_WIN32)
	// boost internally doesn't use MultiByteToWideChar (CP_UTF8,...
	// to convert char* to wchar_t* because they do not know the encoding
	// See boost::filesystem::path.hpp 
	// The only correct way to do this is to do the conversion ourselves 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.