Jeff King <peff@xxxxxxxx> writes: > It was deliberate in the sense that I would allow them to write useful > messages to the Actions log. If they want to do nonsense like > "::set-output", then it's their foot and their gun. It's not like fooling the framework you laid out here is a potentially useful attack vector. We can assume that it is unlikely for the custom allow-ref to be writing a string that happens to begin with double-colon by mistake and making it harder to debug. > I don't know if Actions distinguishes between stdout and stderr here > (i.e., if we redirected the script's stdout to stderr, would that > prevent this case or not?). Perhaps we can experiment with "echo >&2 we are getting called" in the allow-ref script itself ;-). In any case, I'll queue it on 'pu'. Thanks.
