On Thu, Oct 31, 2013 at 1:44 AM, Asif Naeem <[email protected]> wrote: > On Thu, Oct 31, 2013 at 10:17 AM, Amit Kapila <[email protected]> > wrote: >> >> On Tue, Oct 29, 2013 at 12:46 PM, Naoya Anzai >> <[email protected]> wrote: >> > Hi Sandeep >> > >> >> I think, you should change the subject line to "Unquoted service path >> >> containing space is vulnerable and can be exploited on Windows" to get the >> >> attention.. :) >> > Thank you for advice! >> > I'll try to post to pgsql-bugs again. >> >> I could also reproduce this issue. The situation is very rare such >> that an "exe" with name same as first part of directory should exist >> in installation path. > > > I believe it is a security risk with bigger impact as it is related to > Windows environment and as installers rely on it. > >> >> I suggest you can post your patch in next commit fest. > > > Yes. Are not vulnerabilities/security risk's taken care of more urgent bases > ?
If one of the committers who is knowledgeable about Windows has time to apply this *before* the next CommitFest, that's obviously great. But the purpose of adding a link to the next CommitFest is to provide a backstop, so that we're not relying solely on someone to notice this email thread and pick it up, but instead have the patch as part of a list of patches needing review. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
