[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-patch] [PATCH] do not validate target name when it is specified
From: |
Jim Meyering |
Subject: |
Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line |
Date: |
Mon, 14 Feb 2011 10:34:59 +0100 |
Andreas Gruenbacher wrote:
> On Monday 14 February 2011 10:16:12 Jim Meyering wrote:
>> I see what you mean, but invalid names seem important enough that I would
>> not want to be prompted -- not even with a warning -- about the patch
>> in question.
>
> On the other hand, immediately aborting when we see an invalid name (like in
> the current git) is also not appreciated?
When it comes to security, even low-risk things like this,
I think it pays to be extra careful, even if that ends up
causing minor inconvenience.
>> When being prompted, it is too easy to miss the preceding
>> warning among the already relatively verbose output.
>
> What harm does it do if the warning is overlooked?
With a prompt, it's too easy for the naive user to type in some variant
of the invalid file name. Obviously neither you nor I would try
"../../f" when patch says that "../f" doesn't work, but for a beginner,
even ../../../etc/passwd might not raise an eyebrow. Issuing the prompt
makes abuse via social engineering a tiny bit easier.
- [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Jim Meyering, 2011/02/10
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Andreas Gruenbacher, 2011/02/13
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Jim Meyering, 2011/02/14
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Andreas Gruenbacher, 2011/02/14
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Jim Meyering, 2011/02/14
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Andreas Gruenbacher, 2011/02/14
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line,
Jim Meyering <=
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Andreas Gruenbacher, 2011/02/15
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Jim Meyering, 2011/02/16
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Andreas Gruenbacher, 2011/02/16
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Jim Meyering, 2011/02/16
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Andreas Gruenbacher, 2011/02/16
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Jim Meyering, 2011/02/16
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Andreas Gruenbacher, 2011/02/16
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Jim Meyering, 2011/02/16
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Andreas Gruenbacher, 2011/02/16
- Re: [bug-patch] [PATCH] do not validate target name when it is specified on the command line, Jim Meyering, 2011/02/16