I hate that PeaZip does not support passwords with a quotation mark (") in the U... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		tux21b on May 11, 2024 \| parent \| context \| favorite \| on: PeaZip: Open-source file compression and encryptio... I hate that PeaZip does not support passwords with a quotation mark (") in the UI. I haven't reviewed the code, but I am assuming that they are neither passing the password via a variable (linked library) nor via an execve call (less secure), but via some sub-shell which is a common attack vector and bad security practice. But as I said, I haven't reviewed the code.

chungy on May 11, 2024 [–]

I haven't ran nor looked at the code for PeaZip, but the website describes the program as a GUI wrapper around command line utilities. I highly suspect it's the sub-shell thing.

fallingsquirrel on May 11, 2024 | [–]

That's concerning. What if your archive password is ;rm -rf --no-preserve-root /? There might be an easy CVE for the taking here.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact