[sane-devel] Security concern about API sane_control_option()
Simon.Zheng at Sun.COM
Fri Feb 9 15:50:26 CET 2007
Olaf Meeuwissen wrote:
> "simon.zheng" <Simon.Zheng at Sun.COM> writes:
>> I'm a new commer for SANE & XSane. Here are some
>> security questions when studying API sane_control_option().
>> I would appreciate if anyone can give help.
>> Is there any possibility sane_control_option() allows
>> you to get or set any control that would allow one
>> user to affect another user. For example:
> sane_control_option() is there so that frontends can tell the backends
> what the user wants to do. It's a very abstract interface and exactly
> what options are available is left to the discretion of each backend.
I find a spec on SANE Standard 2 draft,
http://www.sane-project.org/sane2/0.08/doc014.html, which documents
well-known options.How about those backend-specific options? Where are
they documented? Manpage?
> So any security implications are not a result of sane_control_option()
> but of the set of options a particular backend chooses to provide.
> Hope this helps,
More information about the sane-devel