Re: [Gnu-arch-users] [MERGE REQUEST] arguments in $EDITOR

gnu-arch-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] [MERGE REQUEST] arguments in $EDITOR

From:	Johannes Berg
Subject:	Re: [Gnu-arch-users] [MERGE REQUEST] arguments in $EDITOR
Date:	Wed, 14 Apr 2004 18:40:49 +0200

On Wed, 2004-04-14 at 18:18, Aaron Bentley wrote:
> Considering the security risks involved in using the shell, wouldn't it 
> be better to set $EDITOR to a wrapper script?

What specific security risks do you see?

The input for the call to the shell comes from 2 sources here:
 1) the $EDITOR variable
 2) tla itself (in form of the generated name of the log file)

If an attacker can change either one, doesn't have have much better ways
of attacking than through an interactive commit?

johannes

[Prev in Thread]

Current Thread

[Next in Thread]

[Gnu-arch-users] [MERGE REQUEST] arguments in $EDITOR, Johannes Berg, 2004/04/14
- Re: [Gnu-arch-users] [MERGE REQUEST] arguments in $EDITOR, Bug Goo, 2004/04/14
- Re: [Gnu-arch-users] [MERGE REQUEST] arguments in $EDITOR, Aaron Bentley, 2004/04/14
  - Re: [Gnu-arch-users] [MERGE REQUEST] arguments in $EDITOR, Johannes Berg <=

Prev by Date: Re: [Gnu-arch-users] [MERGE REQUEST] arguments in $EDITOR
Next by Date: Re: [Gnu-arch-users] <<< conflict markers
Previous by thread: Re: [Gnu-arch-users] [MERGE REQUEST] arguments in $EDITOR
Next by thread: [Gnu-arch-users] [MERGE REQUEST] autodetect which sftp is used
Index(es):
- Date
- Thread