On Tue, 11 Sep 2012 22:45:07 +0200, Andreas Tille wrote:
> On Tue, Sep 11, 2012 at 07:11:20PM +0200, gregor herrmann wrote:
> > > like calls because system does not return the number of files.
> > I'm attaching a small example that uses File::Find for this purpose.
> Do I understand you correctl
Hi Gregor,
On Tue, Sep 11, 2012 at 07:11:20PM +0200, gregor herrmann wrote:
> > like calls because system does not return the number of files.
>
> I'm attaching a small example that uses File::Find for this purpose.
Do I understand you correctly that these are just academic examples
to spread
On Tue, 11 Sep 2012 17:54:44 +0200, Andreas Tille wrote:
> Point taken for those calls where "user-input" (= strings mentioned in
> debian/copyright Files-Excluded) is involved. I left calls like
>
>my $tempdir = tempdir ( "uscan", TMPDIR => 1, CLEANUP => 1 );
>my $nfiles_before = `f
On Mon, Sep 10, 2012 at 10:07:40AM -0700, Don Armstrong wrote:
> lines like the following:
>
> `find "$main_source_dir" -path "$main_source_dir/$_" -print0 | xargs -0 rm
> -rf`;
>
> should really be written like this:
>
> system('find',$main_source_dir,'-path',"$main_source_dir/$_",qw(-exec
On Mon, 10 Sep 2012, Andreas Tille wrote:
> But these are totally different things: I understood your initial
> mail that using debian/copyright is insecure. Now you come up with
> the argument that using backsticks might be insecure. So either
> backsticks are insecure for *any* file we are using
Hi Charles,
On Mon, Sep 10, 2012 at 08:20:43AM +0900, Charles Plessy wrote:
> > I would love to get a pointer to the actual line[1] which executes
> > content from debian/copyright. TTBOMK, all expressions are part of the
> > seeking string of a find statement, nothing more.
>
> the find command
Le Sun, Sep 09, 2012 at 11:04:44PM +0200, Andreas Tille a écrit :
> On Fri, Sep 07, 2012 at 03:15:27PM +0100, Ian Jackson wrote:
> > Charles Plessy writes ("Re: Files-Excluded field and security implications
> > of uscan and debian/copyright."):
> > > Le Fri
On Fri, Sep 07, 2012 at 03:15:27PM +0100, Ian Jackson wrote:
> Charles Plessy writes ("Re: Files-Excluded field and security implications of
> uscan and debian/copyright."):
> > Le Fri, Sep 07, 2012 at 08:44:36AM +0900, Charles Plessy a écrit :
> > > in the case o
Charles Plessy writes ("Re: Files-Excluded field and security implications of
uscan and debian/copyright."):
> Le Fri, Sep 07, 2012 at 08:44:36AM +0900, Charles Plessy a écrit :
> > in the case of the Files-Excluded field, the contents of the field
> > are directly e
Le Fri, Sep 07, 2012 at 08:44:36AM +0900, Charles Plessy a écrit :
>
> in the case of the Files-Excluded field, the contents of the field are
> directly
> executed.
I mean: the contents are transferred to an expression that is directly executed.
Sorry for the noise,
--
Charles
--
To UNSUBS
Hi Andreas and everybody,
while drafting the IANA registration for the machine-readable Debian copyright
format, I had to consider and describe security implications, and realised that
in the case of the Files-Excluded field, the contents of the field are directly
executed. One can imagine scenar
11 matches
Mail list logo
