On Aug 25, 2005, DJ Delorie <[EMAIL PROTECTED]> wrote:

> If "@string" is seen, but "string" does not represent an existing
> file, the string "@string" is passed to the program as-is.

With the terrible side effect of letting people think their
applications will just work, but introducing the very serious risk of
security problems, leading to, say:

gcc: dj:yourpassword:1234:567:DJ: invalid argument

instead of 

gcc: @/etc/passwd: invalid argument


Sure this is probably not so much of an issue for GCC (although remote
compile servers are not totally unheard of), but it could easily
become a very serious problem for other applications that might take
filenames from the network and worry about quoting - but not @; those
would then need fixing.

-- 
Alexandre Oliva         http://www.lsd.ic.unicamp.br/~oliva/
Red Hat Compiler Engineer   [EMAIL PROTECTED], gcc.gnu.org}
Free Software Evangelist  [EMAIL PROTECTED], gnu.org}

Reply via email to