Hi, On Wed, 18 Apr 2007, Johannes Sixt wrote: > Junio C Hamano wrote: > > + interpolate(cmdbuf, sizeof(cmdbuf), cmd, table, 3); > > + > > + memset(&child, 0, sizeof(child)); > > + child.argv = args; > > + args[0] = "sh"; > > + args[1] = "-c"; > > + args[2] = cmdbuf; > > + args[3] = NULL; > > If I read the code correctly, there does not happen any shell quoting > anywhere; hence, this shell invocation is dangerous. AFAICT the files used are all temporary files named ".merge_file_xxxx" in the current directory, so there should not be a chance to have spaces or other weird characters in the files. Ciao, Dscho - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html