On Mon, Feb 13, 2012 at 7:26 PM, Leo Razoumov <slonik...@gmail.com> wrote:
> On Mon, Feb 13, 2012 at 18:30, Gé Weijers <g...@weijers.org> wrote: > > On Mon, Feb 13, 2012 at 1:49 PM, Steve Bennett <ste...@workware.net.au> > > wrote: > >> > >> Joe Mistachkin has recently added support for calling TH1 scripts on > >> certain actions. > >> See http://www.fossil-scm.org/index.html/info/0b61e3c019 > >> > >> In the jimtcl branch, TH1 is replaced with Jim Tcl, so any of these > >> scripts has the full power of Jim Tcl, including exec. > >> > > > > This sounds a whole lot like mobile code. I was left wondering: would it > be > > enough to do a 'fossil clone <something>' to download a malware script > > onto my system? How is this capability secured? > > Are TH1 and Tcl interpreters properly sand-boxed? Otherwise, > downloading and running random scripts found in some random repos does > not strike me as a sound security. > I don't know what others plan on doing with this but in no usage that I can think of would automatically syncing the scripts to another repo make sense. Perhaps they could come across on a config pull. > --Leo-- > _______________________________________________ > fossil-users mailing list > fossil-users@lists.fossil-scm.org > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users >
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
