Junio C Hamano wrote: > + interpolate(cmdbuf, sizeof(cmdbuf), cmd, table, 3); > + > + memset(&child, 0, sizeof(child)); > + child.argv = args; > + args[0] = "sh"; > + args[1] = "-c"; > + args[2] = cmdbuf; > + args[3] = NULL; If I read the code correctly, there does not happen any shell quoting anywhere; hence, this shell invocation is dangerous. -- Hannes - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html