![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
| author | Junio C Hamano <junkio@cox.net> | |
| Sun, 17 Apr 2005 04:29:45 +0000 (21:29 -0700) | ||
| committer | Linus Torvalds <torvalds@ppc970.osdl.org> | |
| Sun, 17 Apr 2005 04:29:45 +0000 (21:29 -0700) | ||
| commit | 9bd94cafdf104e613d7609401e60711cd08e209c | |
| tree | 2660be985a85b5a96b9de69050375ac5e436c957 | tree | snapshot |
| parent | d94c6128e6df3161b111e7af73a7ef782eb4b63e | commit | diff |
[PATCH] show-diff shell safety
The command line for running "diff" command is built without
taking shell metacharacters into account. A malicious dircache
entry "foo 2>bar" (yes, a filename with space) would result in
creating a file called "bar" with the error message "diff: foo:
No such file or directory" in it.
This is not just a user screwing over himself. Such a dircache
can be created as a result of a merge with tree from others.
Here is a fix.
Signed-off-by: Junio C Hamano <junkio@cox.net>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
The command line for running "diff" command is built without
taking shell metacharacters into account. A malicious dircache
entry "foo 2>bar" (yes, a filename with space) would result in
creating a file called "bar" with the error message "diff: foo:
No such file or directory" in it.
This is not just a user screwing over himself. Such a dircache
can be created as a result of a merge with tree from others.
Here is a fix.
Signed-off-by: Junio C Hamano <junkio@cox.net>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| show-diff.c | diff | blob | history |