On 8/12/17, Andy Bradford <amb-fos...@bradfords.org> wrote:
> I think a bigger problem that Fossil has is partially addressed here:
>
> http://www.fossil-scm.org/index.html/info/ce7baa9798de21aa
>
> which  is similar  to  the attack  vector that  you  just fixed,  though
> perhaps worse because it allows remote execution of commands:
>
> fossil clone "ssh://somehost//some/path;rm -rf /" clone.fossil
>

I went a slightly different route and simply added additional error
checking on the code that constructs the "ssh" command.

-- 
D. Richard Hipp
d...@sqlite.org
_______________________________________________
fossil-dev mailing list
fossil-dev@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev

Reply via email to