On 8/12/17, Andy Bradford <amb-fos...@bradfords.org> wrote: > I think a bigger problem that Fossil has is partially addressed here: > > http://www.fossil-scm.org/index.html/info/ce7baa9798de21aa > > which is similar to the attack vector that you just fixed, though > perhaps worse because it allows remote execution of commands: > > fossil clone "ssh://somehost//some/path;rm -rf /" clone.fossil >
I went a slightly different route and simply added additional error checking on the code that constructs the "ssh" command. -- D. Richard Hipp d...@sqlite.org _______________________________________________ fossil-dev mailing list fossil-dev@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev