[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Don't add . to PATH in Make (issue 563650043 by address@hidden)
From: |
hanwenn |
Subject: |
Re: Don't add . to PATH in Make (issue 563650043 by address@hidden) |
Date: |
Wed, 04 Mar 2020 00:07:19 -0800 |
On 2020/03/04 07:54:46, hanwenn wrote:
> LGTM
Can you update the commit message though? I don't think there is a
security problem here.
Adding . in $PATH is a security problem on multi-user systems. In the
context of the build, you can regard this from two angles:
- you're executing in a known environment (ie. the build or src dir), so
the multi-user concern doesn't hold
- you're executing build commands that were probably downloaded from a
potentially untrusted source, so you're SOL anyway.
https://codereview.appspot.com/563650043/