Hi, On Sat, 26 Jul 2008, Rene Herman wrote: > On 26-07-08 16:14, Johannes Schindelin wrote: > > > When the program 'git' is in the PATH, the argv[0] is set to the > > basename. However, argv0_path needs the full path, so add a function > > to discover the program by traversing the PATH manually. > > While not having read the context for this, this ofcourse sounds like a huge > gaping race-condition. If applicable here (as said, did not read context) you > generally want to make sure that there's no window that a path could be > replaced -- while perhaps not here, that's often the kind of thing that > security attacks end up abusing. Yeah, and that's why you would carefully time your attack just in between the command invocation and the discovery of argv[0] in the PATH. Rather than replacing the 'git' program with an infected version right away. Giggling, Dscho -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
