On Mon, Apr 29, 2002 at 02:40:22AM -0400, Mark Benedetto King wrote:
> One might think that, presuming that the executable
> at /path/to/editor was capable of handling arbitrary
> parameters, everything would be hunky-dory. But wait!
> We're calling system()! That means $EDITOR gets passed
> verbatim as, basically,
>
> execl("/bin/sh","sh","-c",$EDITOR,0);
>
> So, let's say the user runs
>
> mycommit "foo; cp /bin/sh /tmp/; chmod 4777 /tmp/sh"
>
> You can see where this goes wrong.
>
> So, that means before we call system, either we need
> to escape all semicolons (and pipes and backticks and ...)
> or we need to warn the user "$EDITOR is passed verbatim
> to system; you are probably *not* smart enough to protect
> yourself from craftily constructed $EDITOR variables, so
> we recommend that you don't build setuid applications that
> can trigger $EDITOR."
Isn't it enough to pass "$EDITOR" to the shell and get _it_ to expand
it? Like:
execl("/bin/sh","sh","-c","$EDITOR",0);
Tim.
*/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Apr 29 09:28:02 2002