[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Autoexpanding ZIP archives?

From: Greg Hudson <ghudson_at_MIT.EDU>
Date: 2005-12-07 19:21:18 CET

On Wed, 2005-12-07 at 19:14 +0100, Hadmut Danisch wrote:
> I think so. But as a person who mainly works in the field of security
> for about 15 years, I do not yet see why such transformations should
> directly imply security problems. Of course, poorly implemented
> scripts could, but that's not an argument. If an attacker has access
> to the repository, he could also modify source code and wait until
> someone checks out, compiles, and runs it.

Are you arguing on this basis that the server should be able to tell the
client to run arbitrary code? That's not acceptable. People use
Subversion to version things other than source code, and by running "svn
co" they aren't consenting to give the server full access to their
client machines.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Dec 7 19:24:03 2005

This is an archived mail posted to the Subversion Dev mailing list.