With my Rust hat on: I don't think that Rust would have solved this. It might have made the code in question easier to understand, as you note, but this kind of error can still happen in any language.

Looking at the patch[1], probably not. There isn't really a lot of complex string handling involved; it's basically just forgetting to forbid "--". I don't really see how any language choice could help you with this.

[1]: https://github.com/sudo-project/sudo/commit/0274a4f3b403162a...

I think there is fundamental design mistake when EDITOR string being badly escaped causing this bug

It has one job

* read file as priviledged user * copy it to temporary file * run editor as unpriviledged user * copy the changed file back

The fact lack of escaping somehow makes sudoedit try to edit file passed in EDITOR variable is extremely shoddy coding.

It shouldn't have to forbid that. The editor and privileged files shouldn't be in the same string. It should just be appending the list of temporary files to the editor command, and running that unprivileged.

Besides the fact that that wouldn't actually have prevented this bug (which you acknowledge in your edit), /dev/fd/N is a linuxism, so wouldn't work on other unices. And has slightly different semantics than the current implementation, where your changes to the file aren't actually updated in the original privileged file until after you exit the editor.

goto to a cleanup/error handling block at the end of a function is a fairly common C idiom

Don't really see a problem using goto there. Simplyfies control flow and error handling. Assuming we are talking about same piece of code.

I think if you read the kennel's code you're in to a big surprise.

just because something's old doesn't mean it's bad

I would say a more type-oriented mentality would make this kind of bug less likely; thinking of -- as a magic value rather than a different kind of thing from a regular argument makes it easy to forget the distinction, and a mentality where you're "sanitizing a string" is far less reliable than one where you're transforming between two distinct formats.

Good point. A "parse, don't validate" approach to handling the contents of `$EDITOR` would look like `parseEditorEnv :: String -> Maybe ProgramPath`, and that parse should fail.

But that's the wrong thing. The problem is not that EDITOR must be a program, but (apparently) that they're parsing the expansion of EDITOR (along with other stuff) to figure out what file to operate on.

I don't see a change to language, per se, that would have helped, really.

A system with more of an object capabilities model could have helped, though. The goal wasn't really "let the user run their editor as root (when they ask for it)", but "let the user work with this particular file from their editor (when they ask for it)".

On reflection, I think C is a language where this kind of error is less likely. In languages where it's easy to cram strings together and parse the results, people are more likely to do it. Those things are a bit of a pain in C, so people are more likely to do things another (and in this case better) way. Of course, that was obviously no guarantee.

Doubtful, failing to sanitize your inputs plagues memory safe languages too.

It's kind of tiring to hear about memory safe languages (mainly rust here) being put on a pedestal, as if it will solve all our software woes.

Not to mention, C++ /can/ be memory safe if you use memory-safe routines.

I'm just waiting for articles to come in, this year.. "why 2023 was not the year of Rust". Not hating on Rust - just the evangelism.

Ironically, even C has the tools to avoid this. You just need to be running OpenBSD: https://man.openbsd.org/unveil.2

I don't think that works here. The editor is supposed to be able to access other files.

This is more of a shellshock-like bug than anything complicated involving memory. Just a really stupid misconfiguration oversight.