On Fri, Jun 26, 2020 at 12:49:41PM +0200, Oswald Buddenhagen wrote:
On Thu, Jun 25, 2020 at 03:54:24PM -0700, Kevin J. McCarthy wrote:yes, doing parsing and quoting in the right layers is important. failure to do so leads to insanity and security holes. but make sure to check *all* consumers, lest you actually (re-)introduce security holes (if the handling of some untrusted data relies on this weird quoting behavior).Is it worth correcting this?
Thanks Oswald. I'll take a closer look at this.One thing I can do is keep the escaping *only* for the cases it might be needed, such as hook command extraction.
-- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA
signature.asc
Description: PGP signature
