From: Junio C Hamano <gitster@pobox.com>
To: esr@thyrsus.com
Cc: git@vger.kernel.org
Subject: Re: [PATCH] cvsimport: rewrite to use cvsps 3.x to fix major bugs
Date: Fri, 11 Jan 2013 11:17:07 -0800 [thread overview]
Message-ID: <7vr4lrbkcs.fsf@alter.siamese.dyndns.org> (raw)
In-Reply-To: <20130111185818.GA30398@thyrsus.com> (Eric S. Raymond's message of "Fri, 11 Jan 2013 13:58:18 -0500")
"Eric S. Raymond" <esr@thyrsus.com> writes:
> Junio C Hamano <gitster@pobox.com>:
>> I think the prevalent style in this script is to write "print"
>> without parentheses:
>>
>> print STDERR "msg\n";
>
> That can be easily fixed.
>
>> This looks lazy and unsafe quoting. Is there anything that makes
>> sure repository path does not contain a single quote?
>
> No. But...wait, checking...the Perl code didn't have the analogous
> check, so there's no increased vulnerability here. I'll put it on the
> to-do list for after I ship parsecvs.
I checked before I sent that review, and as far as I could tell, it
was fairly consistently avoiding the lazy and insecure forms, e.g.
system("com mand " . $param);
open($fh, "com mand " . $param . " |"); while (<$fh>) { ... }
but used the more sequre list form, e.g.
system(qw(com mand), $param);
open($fh, "-|", qw(com mand), $param); while (<$fh>) { ... }
But of course there may be some places that were careless that I
didn't spot (and previous reviewers of the current cvsimport
didn't).
next prev parent reply other threads:[~2013-01-11 19:17 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-11 3:32 [PATCH] cvsimport: rewrite to use cvsps 3.x to fix major bugs Junio C Hamano
2013-01-11 16:31 ` Junio C Hamano
2013-01-11 18:58 ` Eric S. Raymond
2013-01-11 19:17 ` Junio C Hamano [this message]
2013-01-11 19:27 ` Junio C Hamano
2013-01-12 5:04 ` Eric S. Raymond
2013-01-12 5:20 ` Junio C Hamano
2013-01-12 5:38 ` [PATCH] t/t960[123]: remove leftover scripts Junio C Hamano
2013-01-12 6:06 ` Chris Rorvick
2013-01-12 8:40 ` [PATCH] t/lib-cvs: cvsimport no longer works without Python >= 2.7 Junio C Hamano
2013-01-12 15:27 ` Michael Haggerty
2013-01-13 17:17 ` John Keeping
2013-01-12 15:47 ` [PATCH] cvsimport: rewrite to use cvsps 3.x to fix major bugs Eric S. Raymond
2013-01-12 15:13 ` Michael Haggerty
2013-01-12 16:11 ` Eric S. Raymond
2013-01-12 18:16 ` Jonathan Nieder
2013-01-12 18:26 ` Jonathan Nieder
2013-01-13 22:20 ` Junio C Hamano
2013-01-13 23:27 ` Junio C Hamano
2013-01-14 1:40 ` [PATCH 0/3] A smoother transition plan for cvsimport Junio C Hamano
2013-01-14 1:40 ` [PATCH 1/3] cvsimport: allow setting a custom cvsps (2.x) program name Junio C Hamano
2013-01-14 1:40 ` [PATCH 2/3] cvsimport: introduce a version-switch wrapper Junio C Hamano
2013-01-14 1:47 ` Junio C Hamano
2013-01-14 1:40 ` [PATCH 3/3] cvsimport: start adding cvsps 3.x support Junio C Hamano
2013-01-15 6:19 ` Chris Rorvick
2013-01-15 6:44 ` Junio C Hamano
2013-01-14 5:12 ` [PATCH] cvsimport: rewrite to use cvsps 3.x to fix major bugs Michael Haggerty
2013-01-14 7:25 ` [PATCH v2 0/6] A smoother transition plan for cvsimport Junio C Hamano
2013-01-14 7:25 ` [PATCH v2 1/6] Makefile: add description on PERL/PYTHON_PATH Junio C Hamano
2013-01-14 7:25 ` [PATCH v2 2/6] cvsimport: allow setting a custom cvsps (2.x) program name Junio C Hamano
2013-01-14 7:25 ` [PATCH v2 3/6] cvsimport: introduce a version-switch wrapper Junio C Hamano
2013-01-14 7:25 ` [PATCH v2 4/6] cvsimport: start adding cvsps 3.x support Junio C Hamano
2013-01-14 7:25 ` [PATCH v2 5/6] cvsimport: make tests reusable for cvsimport-3 Junio C Hamano
2013-01-14 7:25 ` [PATCH v2 6/6] cvsimport-3: add a sample test Junio C Hamano
2013-01-14 7:47 ` [PATCH v2 0/6] A smoother transition plan for cvsimport Jonathan Nieder
2013-01-14 7:48 ` [PATCH v2 7/6] t9600: further prepare for sharing Junio C Hamano
2013-01-14 7:52 ` [PATCH v2 8/6] t9600: adjust for new cvsimport Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7vr4lrbkcs.fsf@alter.siamese.dyndns.org \
--to=gitster@pobox.com \
--cc=esr@thyrsus.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).