[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-diffutils] bug#35256: bug#35256: Bug report for -W argument (maximu
[bug-diffutils] bug#35256: bug#35256: Bug report for -W argument (maximum width) - minor and not dangerous
Tue, 27 Aug 2019 16:23:08 -0700
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
I know diff is used by A LOT of other programs, some of which are
I'm afraid that ship sailed a while ago: if you let a remote attacker specify an
arbitrary option to GNU diff there is lots of other trouble you can get into.
For example, the -I option lets the attacker specify a regular expression that
can cause diff to undergo exponential complexity. The general wisdom nowadays is
to not expose command-line operands to attackers.
As for putting in a limit, the GNU Coding Standards say to not impose arbitrary
limits. In some cases there are good reasons to impose a limit anyway but this
one doesn't seem to rise to that level.
You do raise a good point that 'diff' shouldn't treat negative inputs as if they
were large positive inputs, so I installed the attached patch.
Thanks for reporting the problem; your bug report was a pleasure to read.
Description: Text Data
- [bug-diffutils] bug#35256: bug#35256: Bug report for -W argument (maximum width) - minor and not dangerous,
Paul Eggert <=