Ian Lance Taylor writes: > > What if I frob Update.prog? I don't claim to understand all the cases > here, but it appears that that will be run by `cvs update'. Update.prog just contains the name of the program to run, not the actual code. If you can't commit, you can't upload arbitrary code to run, you can only run pre-existing code on the server, and you have no control over its input or arguments, so it's a very low-level threat. -Larry Jones I always have to help Dad establish the proper context. -- Calvin
- [akr@M17N.ORG: cvs security problem] Ian Lance Taylor
- Re: [akr@M17N.ORG: cvs security problem] Karl Fogel
- Re: [akr@M17N.ORG: cvs security problem] Larry Jones
- Re: [akr@M17N.ORG: cvs security problem] Mike Castle
- Re: [akr@M17N.ORG: cvs security problem] Tanaka Akira
- Re: [akr@M17N.ORG: cvs security problem] Ian Lance Taylor
- Re: [akr@M17N.ORG: cvs security problem] Karl Fogel
- Re: [akr@M17N.ORG: cvs security problem] Michael Richardson
- Re: [akr@M17N.ORG: cvs security problem] Pavel Roskin
- Re: [akr@M17N.ORG: cvs security problem] Larry Jones
- Re: [akr@M17N.ORG: cvs security problem] Pavel Roskin
- Re: [akr@M17N.ORG: cvs security problem] Tanaka Akira
- Re: [akr@M17N.ORG: cvs security problem] Ian Lance Taylor
- Re: [akr@M17N.ORG: cvs security problem] Larry Jones
- Re: [akr@M17N.ORG: cvs security problem] Ian Lance Taylor
- Re: [akr@M17N.ORG: cvs security problem] Ian Lance Taylor
- Re: [akr@M17N.ORG: cvs security problem] Michael Richardson
- Re: [akr@M17N.ORG: cvs security problem] Tanaka Akira
- Re: [akr@M17N.ORG: cvs security problem] Michael Richardson
