git_cmd_str does not quote the directory names without this patch.
Signed-off-by: Lea Wiemann <LeWiemann@xxxxxxxxx>
---
git_cmd_str is really really bad from a security POV: Where it is
used, command lines are passed to the shell, which (I believe) just
*happen* to open no security holes. Hence the function should
ultimately go away. However, let's make the tests work for the
meantime while it's still there.
gitweb/gitweb.perl | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 07e64da..0bddc31 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -1502,7 +1502,7 @@ sub git_cmd {
# returns path to the core git executable and the --git-dir parameter as string
sub git_cmd_str {
- return join(' ', git_cmd());
+ return join ' ', map("'$_'", git_cmd());
}
# get HEAD ref of given project as hash
--
1.5.6.rc3.7.ged9620
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
