| > why allow file() to open sockets If by "open sockets" you mean open existing sockets in read-only mode, it's so that it can identify them as sockets. If by "open sockets" you mean create new sockets, I don't think it does do that: https://github.com/threatstack/libmagic/search?utf8=%E2%9C%9... > write to arbitrary files It appears it only does this if running on OS/2 and investigating what's inside a compressed file. Under these conditions, a temporary file is necessary for platform-specific reasons: https://github.com/threatstack/libmagic/blob/3dea7072b8d7e92... https://github.com/threatstack/libmagic/blob/3dea7072b8d7e92... It also writes to a non-arbitrary mmapped file (the magic database), because that's how such databases work; you query them by writing to them in a particular way: https://github.com/threatstack/libmagic/blob/3dea7072b8d7e92... > run external programs I can't find any examples where it does that. Do you know of any? |
This is what I am saying...given the right input, file(1) could do anything and everything. Yes, it's only due to a bug in file(1), but still that's kind of ridiculous.
We have all sorts of things in place to protect against other bugs (for example, segmentation faults), and there's 27 years of evidence that we need some more help.