Re: [PATCH] Quote filename passed to $EDITOR

From: Ulrich Drepper <drepper_at_redhat.com>
Date: 2002-07-23 19:48:20 CEST

On Tue, 2002-07-23 at 09:53, Karl Fogel wrote:

> (I suppose we could have a configuration-determined character that
> gets substituted in, but doesn't seem worth the trouble...)

I do think it is. This is a potential security hole.

And re not using something else but system. I haven't seen the
discussions but it seems to be again "a minimum functionality dictates
usage" thing. This is wrong. If you'd use posix_spawn() or even
fork()/exec you'd not only get better security but also significantly
more speed and and less resource usage (executing a shell is extrememly
demanding).

-- 
---------------.                          ,-.   1325 Chesapeake Terrace
Ulrich Drepper  \    ,-------------------'   \  Sunnyvale, CA 94089 USA
Red Hat          `--' drepper at redhat.com   `------------------------

application/pgp-signature attachment: This is a digitally signed message part

Received on Tue Jul 23 19:49:15 2002

This message: [ Message body ]
Next message: Ulrich Drepper: "Re: [PATCH] Quote filename passed to $EDITOR"
Previous message: Marcus Comstedt: "Re: [PATCH] Quote filename passed to $EDITOR"
In reply to: Karl Fogel: "Re: [PATCH] Quote filename passed to $EDITOR"
Next in thread: Marcus Comstedt: "Re: [PATCH] Quote filename passed to $EDITOR"
Reply: Marcus Comstedt: "Re: [PATCH] Quote filename passed to $EDITOR"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]