On 8/12/17, Andy Bradford <amb-fos...@bradfords.org> wrote:
> I think a bigger problem that Fossil has is partially addressed here:
> http://www.fossil-scm.org/index.html/info/ce7baa9798de21aa
> which  is similar  to  the attack  vector that  you  just fixed,  though
> perhaps worse because it allows remote execution of commands:
> fossil clone "ssh://somehost//some/path;rm -rf /" clone.fossil

I went a slightly different route and simply added additional error
checking on the code that constructs the "ssh" command.

D. Richard Hipp
fossil-dev mailing list

Reply via email to