Lea Wiemann <lewiemann@xxxxxxxxx> writes:
> git_cmd_str does not quote the directory names without this patch.
>
> Signed-off-by: Lea Wiemann <LeWiemann@xxxxxxxxx>
> ---
> git_cmd_str is really really bad from a security POV: Where it is
> used, command lines are passed to the shell, which (I believe) just
> *happen* to open no security holes. Hence the function should
> ultimately go away. However, let's make the tests work for the
> meantime while it's still there.
>
> gitweb/gitweb.perl | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
> index 07e64da..0bddc31 100755
> --- a/gitweb/gitweb.perl
> +++ b/gitweb/gitweb.perl
> @@ -1502,7 +1502,7 @@ sub git_cmd {
>
> # returns path to the core git executable and the --git-dir parameter as string
> sub git_cmd_str {
> - return join(' ', git_cmd());
> + return join ' ', map("'$_'", git_cmd());
> }
What happens to a path or parameter that has a sq in it?
You are returing this from git_cmd():
return $GIT, '--git-dir='.$git_dir;
How is this cmd_str() gets used? If you absolutely have to have a single
string that can be safely passed to the shell, the easiest would be to
quote mechanically in sq following the pattern illustrated at the
beginning of quote.c
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
