[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Quote filename passed to $EDITOR

From: Karl Fogel <kfogel_at_newton.ch.collab.net>
Date: 2002-07-23 20:30:44 CEST

Ulrich Drepper <drepper@redhat.com> writes:
> I do think it is. This is a potential security hole.

What exactly is the scenario(s) here? How high is the risk? How much
trouble is the fix? What's the probability that the fix will cause
some unforseen problem :-)?

> And re not using something else but system. I haven't seen the
> discussions but it seems to be again "a minimum functionality dictates
> usage" thing. This is wrong. If you'd use posix_spawn() or even
> fork()/exec you'd not only get better security but also significantly
> more speed and and less resource usage (executing a shell is extrememly
> demanding).

I can't remember the name of the thread, but it's worth reading.

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jul 23 20:43:52 2002

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.