[darcs-users] darcs patch: Revert --restrict-paths removal. (and 2 more)
Eric Kow
kowey at darcs.net
Mon Jan 5 11:47:17 UTC 2009
On Mon, Jan 05, 2009 at 03:23:15 -0800, David Caldwell wrote:
>> So, I'm still not 100% sure I understand here. Does this mean the only
>> thing you are really interested in is to be able to create patches with
>> _darcs in them? Explicitly relative patches and patches with ".." in
>> their paths, presumably would still actually be malicious in your eyes?
>
> Yes, in my particular use case I have patches with "_darcs" somewhere in
> the path name ("./t/darcs-old/_darcs"), though notably not in the first
> path component.
Ok, thanks!
> Speaking in general, I'm not sure why having "_darcs" anywhere other than
> the first component of the path would be malicious, but maybe I'm just
> not thinking deviously enough.
>
> I still think it's reasonable to reject "..".
At first I was confused by why anybody would want to have explicitly
relative or ".." paths and now I know that the answer is "we don't".
> This seems like a pretty rare edge case so I'm ok with the way it is
> now--I will just add the "--dont-restrict-paths" option when I get the
> error. I don't intend to mess with those nested test repos much so I
> doubt it will come up too often in my future (famous last words). If I
> were heavily editing them all the time it might make sense to have a
> whitelist feature like Florent suggested, or to change up the definition
> of is_malicious_path like I suggested.
It may be worth thinking about making the --dont-restrict-paths option a
bit more conservative, so that instead of not restricting paths, it only
restricts them minimally (i.e. it tightens the definition of
is_malicious_path).
Anyway, I've applied your patches. Thanks!
--
Eric Kow <http://www.nltg.brighton.ac.uk/home/Eric.Kow>
PGP Key ID: 08AC04F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.osuosl.org/pipermail/darcs-users/attachments/20090105/b843d3bb/attachment.pgp
More information about the darcs-users
mailing list