| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <xmqqegqcccjt.fsf@gitster.dls.corp.google.com> Date: Fri, 30 Jan 2015 11:07:34 -0800 From: Junio C Hamano <gitster@...ox.com> To: Jeff King <peff@...f.net> Cc: Git Mailing List <git@...r.kernel.org>, Josh Boyer <jwboyer@...oraproject.org>, "Linux-Kernel\@Vger. Kernel. Org" <linux-kernel@...r.kernel.org>, twaugh@...hat.com, Linus Torvalds <torvalds@...ux-foundation.org> Subject: Re: [PATCH 2/1] apply: reject input that touches outside $cwd Jeff King <peff@...f.net> writes: > It looks like your new --allow-uplevel goes to verify_path(). So this > isn't just about "..", but it will also protect against applying a patch > inside ".git". Which seems like a good thing to me, but I wonder if the > option name is a little misleading. True; not just misleading but is incorrect, I would say. Suggestions? > I agree they are orthogonal in concept, though I doubt the symlink tests > here would pass without the previous one... It won't; "do not apply across symlinks" is unconditional, and the new codepath introduced by this patch, which is conditional to the user option, shouldn't have to worry about them. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists