On Thu, Oct 31, 2013 at 1:44 AM, Asif Naeem <anaeem...@gmail.com> wrote:
> On Thu, Oct 31, 2013 at 10:17 AM, Amit Kapila <amit.kapil...@gmail.com>
> wrote:
>> On Tue, Oct 29, 2013 at 12:46 PM, Naoya Anzai
>> <anzai-na...@mxu.nes.nec.co.jp> wrote:
>> > Hi Sandeep
>> >
>> >> I think, you should change the subject line  to "Unquoted service path
>> >> containing space is vulnerable and can be exploited on Windows" to get the
>> >> attention..  :)
>> > Thank you for advice!
>> > I'll try to post to pgsql-bugs again.
>> I could also reproduce this issue. The situation is very rare such
>> that an "exe" with name same as first part of directory should exist
>> in installation path.
> I believe it is a security risk with bigger impact as it is related to
> Windows environment and as installers rely on it.
>> I suggest you can post your patch in next commit fest.
> Yes. Are not vulnerabilities/security risk's taken care of more urgent bases
> ?

If one of the committers who is knowledgeable about Windows has time
to apply this *before* the next CommitFest, that's obviously great.
But the purpose of adding a link to the next CommitFest is to provide
a backstop, so that we're not relying solely on someone to notice this
email thread and pick it up, but instead have the patch as part of a
list of patches needing review.

Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to