Ian Lance Taylor writes: > > What if I frob Update.prog? I don't claim to understand all the cases > here, but it appears that that will be run by `cvs update'. Update.prog just contains the name of the program to run, not the actual code. If you can't commit, you can't upload arbitrary code to run, you can only run pre-existing code on the server, and you have no control over its input or arguments, so it's a very low-level threat. -Larry Jones I always have to help Dad establish the proper context. -- Calvin
- [[email protected]: cvs security problem] Ian Lance Taylor
- Re: [[email protected]: cvs security problem] Karl Fogel
- Re: [[email protected]: cvs security problem] Larry Jones
- Re: [[email protected]: cvs security problem] Mike Castle
- Re: [[email protected]: cvs security problem] Tanaka Akira
- Re: [[email protected]: cvs security problem] Ian Lance Taylor
- Re: [[email protected]: cvs security problem] Karl Fogel
- Re: [[email protected]: cvs security problem] Michael Richardson
- Re: [[email protected]: cvs security problem] Pavel Roskin
- Re: [[email protected]: cvs security problem] Larry Jones
- Re: [[email protected]: cvs security problem] Pavel Roskin
- Re: [[email protected]: cvs security problem] Tanaka Akira
- Re: [[email protected]: cvs security problem] Ian Lance Taylor
- Re: [[email protected]: cvs security problem] Larry Jones
- Re: [[email protected]: cvs security problem] Ian Lance Taylor
- Re: [[email protected]: cvs security problem] Ian Lance Taylor
- Re: [[email protected]: cvs security problem] Michael Richardson
- Re: [[email protected]: cvs security problem] Tanaka Akira
- Re: [[email protected]: cvs security problem] Michael Richardson
