[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-diffutils] bug#35256: bug#35256: Bug report for -W argument (maximu

From: Paul Eggert
Subject: [bug-diffutils] bug#35256: bug#35256: Bug report for -W argument (maximum width) - minor and not dangerous
Date: Tue, 27 Aug 2019 16:23:08 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0

address@hidden wrote:

I know diff is used by A LOT of other programs, some of which are

I'm afraid that ship sailed a while ago: if you let a remote attacker specify an arbitrary option to GNU diff there is lots of other trouble you can get into. For example, the -I option lets the attacker specify a regular expression that can cause diff to undergo exponential complexity. The general wisdom nowadays is to not expose command-line operands to attackers.

As for putting in a limit, the GNU Coding Standards say to not impose arbitrary limits. In some cases there are good reasons to impose a limit anyway but this one doesn't seem to rise to that level.

You do raise a good point that 'diff' shouldn't treat negative inputs as if they were large positive inputs, so I installed the attached patch.

Thanks for reporting the problem; your bug report was a pleasure to read.

Attachment: 0001-diff-don-t-mistreat-N-in-arg-as-a-large-number.patch
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]