Re: [PATCH] Quote filename passed to $EDITOR

From: Karl Fogel <kfogel_at_newton.ch.collab.net>
Date: 2002-07-23 20:30:44 CEST

Ulrich Drepper <drepper@redhat.com> writes:
> I do think it is. This is a potential security hole.

What exactly is the scenario(s) here? How high is the risk? How much
trouble is the fix? What's the probability that the fix will cause
some unforseen problem :-)?

> And re not using something else but system. I haven't seen the
> discussions but it seems to be again "a minimum functionality dictates
> usage" thing. This is wrong. If you'd use posix_spawn() or even
> fork()/exec you'd not only get better security but also significantly
> more speed and and less resource usage (executing a shell is extrememly
> demanding).

I can't remember the name of the thread, but it's worth reading.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jul 23 20:43:52 2002

This message: [ Message body ]
Next message: Scott Lamb: "Re: [PATCH] Quote filename passed to $EDITOR"
Previous message: Karl Fogel: "Re: [PATCH] Quote filename passed to $EDITOR"
In reply to: Ulrich Drepper: "Re: [PATCH] Quote filename passed to $EDITOR"
Next in thread: Scott Lamb: "Re: [PATCH] Quote filename passed to $EDITOR"
Reply: Scott Lamb: "Re: [PATCH] Quote filename passed to $EDITOR"
Reply: Ulrich Drepper: "Re: [PATCH] Quote filename passed to $EDITOR"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]