From: Junio C Hamano <gitster@pobox.com>
To: esr@thyrsus.com
Cc: git@vger.kernel.org
Subject: Re: [PATCH] cvsimport: rewrite to use cvsps 3.x to fix major bugs
Date: Fri, 11 Jan 2013 11:17:07 -0800 [thread overview]
Message-ID: <7vr4lrbkcs.fsf@alter.siamese.dyndns.org> (raw)
In-Reply-To: <20130111185818.GA30398@thyrsus.com> (Eric S. Raymond's message of "Fri, 11 Jan 2013 13:58:18 -0500")
"Eric S. Raymond" <esr@thyrsus.com> writes:
> Junio C Hamano <gitster@pobox.com>:
>> I think the prevalent style in this script is to write "print"
>> without parentheses:
>>
>> print STDERR "msg\n";
>
> That can be easily fixed.
>
>> This looks lazy and unsafe quoting. Is there anything that makes
>> sure repository path does not contain a single quote?
>
> No. But...wait, checking...the Perl code didn't have the analogous
> check, so there's no increased vulnerability here. I'll put it on the
> to-do list for after I ship parsecvs.
I checked before I sent that review, and as far as I could tell, it
was fairly consistently avoiding the lazy and insecure forms, e.g.
system("com mand " . $param);
open($fh, "com mand " . $param . " |"); while (<$fh>) { ... }
but used the more sequre list form, e.g.
system(qw(com mand), $param);
open($fh, "-|", qw(com mand), $param); while (<$fh>) { ... }
But of course there may be some places that were careless that I
didn't spot (and previous reviewers of the current cvsimport
didn't).
next prev parent reply other threads:[~2013-01-11 19:17 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-11 3:32 [PATCH] cvsimport: rewrite to use cvsps 3.x to fix major bugs Junio C Hamano
2013-01-11 16:31 ` Junio C Hamano
2013-01-11 18:58 ` Eric S. Raymond
2013-01-11 19:17 ` Junio C Hamano [this message]
2013-01-11 19:27 ` Junio C Hamano
2013-01-12 5:04 ` Eric S. Raymond
2013-01-12 5:20 ` Junio C Hamano
2013-01-12 5:38 ` [PATCH] t/t960[123]: remove leftover scripts Junio C Hamano
2013-01-12 6:06 ` Chris Rorvick
2013-01-12 8:40 ` [PATCH] t/lib-cvs: cvsimport no longer works without Python >= 2.7 Junio C Hamano
2013-01-12 15:27 ` Michael Haggerty
2013-01-13 17:17 ` John Keeping
2013-01-12 15:47 ` [PATCH] cvsimport: rewrite to use cvsps 3.x to fix major bugs Eric S. Raymond
2013-01-12 15:13 ` Michael Haggerty
2013-01-12 16:11 ` Eric S. Raymond
2013-01-12 18:16 ` Jonathan Nieder
2013-01-12 18:26 ` Jonathan Nieder
2013-01-13 22:20 ` Junio C Hamano
2013-01-13 23:27 ` Junio C Hamano
2013-01-14 1:40 ` [PATCH 0/3] A smoother transition plan for cvsimport Junio C Hamano
2013-01-14 1:40 ` [PATCH 1/3] cvsimport: allow setting a custom cvsps (2.x) program name Junio C Hamano
2013-01-14 1:40 ` [PATCH 2/3] cvsimport: introduce a version-switch wrapper Junio C Hamano
2013-01-14 1:47 ` Junio C Hamano
2013-01-14 1:40 ` [PATCH 3/3] cvsimport: start adding cvsps 3.x support Junio C Hamano
2013-01-15 6:19 ` Chris Rorvick
2013-01-15 6:44 ` Junio C Hamano
2013-01-14 5:12 ` [PATCH] cvsimport: rewrite to use cvsps 3.x to fix major bugs Michael Haggerty
2013-01-14 7:25 ` [PATCH v2 0/6] A smoother transition plan for cvsimport Junio C Hamano
2013-01-14 7:25 ` [PATCH v2 1/6] Makefile: add description on PERL/PYTHON_PATH Junio C Hamano
2013-01-14 7:25 ` [PATCH v2 2/6] cvsimport: allow setting a custom cvsps (2.x) program name Junio C Hamano
2013-01-14 7:25 ` [PATCH v2 3/6] cvsimport: introduce a version-switch wrapper Junio C Hamano
2013-01-14 7:25 ` [PATCH v2 4/6] cvsimport: start adding cvsps 3.x support Junio C Hamano
2013-01-14 7:25 ` [PATCH v2 5/6] cvsimport: make tests reusable for cvsimport-3 Junio C Hamano
2013-01-14 7:25 ` [PATCH v2 6/6] cvsimport-3: add a sample test Junio C Hamano
2013-01-14 7:47 ` [PATCH v2 0/6] A smoother transition plan for cvsimport Jonathan Nieder
2013-01-14 7:48 ` [PATCH v2 7/6] t9600: further prepare for sharing Junio C Hamano
2013-01-14 7:52 ` [PATCH v2 8/6] t9600: adjust for new cvsimport Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7vr4lrbkcs.fsf@alter.siamese.dyndns.org \
--to=gitster@pobox.com \
--cc=esr@thyrsus.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.