Re: Files with colons under Cygwin

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Johannes Sixt <j.sixt@viscovery.net>
To: Dmitry Potapov <dpotapov@gmail.com>
Cc: Giovanni Funchal <gafunchal@gmail.com>,
	git@vger.kernel.org, "Shawn O. Pearce" <spearce@spearce.org>
Subject: Re: Files with colons under Cygwin
Date: Tue, 07 Oct 2008 08:13:20 +0200	[thread overview]
Message-ID: <48EAFE00.3040907@viscovery.net> (raw)
In-Reply-To: <20081007005327.GT21650@dpotapov.dyndns.org>

Dmitry Potapov schrieb:
> On Mon, Oct 06, 2008 at 08:54:44AM +0200, Johannes Sixt wrote:
>> [*] I say "meaningful" and not "necessary" because the situation is just
>> like when you grab some random SoftwarePackage.tar.gz, and run ./configure
>> without looking first what it is going to do.
> 
> When I grab any tar, I can look at its context without myself of any
> risk that some files can be overwritten on my file system. And when
> I want to look at some remote git repository, I usually do:
> 
>    git clone URL
> 
> If it can overwrite some files behind my back, it is security a hole.

Fair enough.

> On Linux (or other sane file systems), we have all required checks to
> prevent that from happening, and they are places in verify_path, which
> prevents malicious names entering into the index and thus to the file
> system too. So, we should do all required checks on Windows too.

I don't object the intention of your patch. But I cannot judge whether
verify_path() is the correct location to put the checks because I don't
know this part of the code. I leave the final word to others.

-- Hannes

next prev parent reply	other threads:[~2008-10-07  6:14 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-10-02 14:02 Files with colons under Cygwin Giovanni Funchal
2008-10-04 23:39 ` Dmitry Potapov
2008-10-05  9:04   ` Alex Riesen
2008-10-05  9:14   ` Alex Riesen
2008-10-05 19:51     ` Dmitry Potapov
2008-10-05  9:28   ` Giovanni Funchal
2008-10-06  6:54   ` Johannes Sixt
2008-10-07  0:53     ` Dmitry Potapov
2008-10-07  6:13       ` Johannes Sixt [this message]
2008-10-07  2:05   ` Joshua Juran
2008-10-07  3:26     ` [PATCH v2] correct verify_path for Windows Dmitry Potapov
2008-10-07  6:18       ` Johannes Sixt
2008-10-11 16:33         ` Dmitry Potapov
2008-10-11 22:58           ` Alex Riesen
2008-10-12 13:50             ` Dmitry Potapov
2008-10-12 18:18               ` Alex Riesen
2008-10-13  6:00                 ` Johannes Sixt
2008-10-13  6:18                   ` Alex Riesen
2008-10-07  6:25       ` Alex Riesen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48EAFE00.3040907@viscovery.net \
    --to=j.sixt@viscovery.net \
    --cc=dpotapov@gmail.com \
    --cc=gafunchal@gmail.com \
    --cc=git@vger.kernel.org \
    --cc=spearce@spearce.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.