On 1/5/09 10:56 AM +0000 Eric Kow wrote:
On Mon, Jan 05, 2009 at 02:36:09 -0800, David Caldwell wrote:I have a few fake darcs repos in the test section of a perl module I'm writing. I want to be able to test the module without having darcs installed so that the CPAN automated testers can do it for me.So, I'm still not 100% sure I understand here. Does this mean the only thing you are really interested in is to be able to create patches with _darcs in them? Explicitly relative patches and patches with ".." in their paths, presumably would still actually be malicious in your eyes?
Yes, in my particular use case I have patches with "_darcs" somewhere in the path name ("./t/darcs-old/_darcs"), though notably not in the first path component.
Speaking in general, I'm not sure why having "_darcs" anywhere other than the first component of the path would be malicious, but maybe I'm just not thinking deviously enough.
I still think it's reasonable to reject "..".This seems like a pretty rare edge case so I'm ok with the way it is now--I will just add the "--dont-restrict-paths" option when I get the error. I don't intend to mess with those nested test repos much so I doubt it will come up too often in my future (famous last words). If I were heavily editing them all the time it might make sense to have a whitelist feature like Florent suggested, or to change up the definition of is_malicious_path like I suggested.
-David
pgp0Imt4sK5w5.pgp
Description: PGP signature
_______________________________________________ darcs-users mailing list [email protected] http://lists.osuosl.org/mailman/listinfo/darcs-users
