Security hole comitted to crew
Jonathan S. Shapiro
shap at eros-os.com
Fri Aug 31 10:28:00 CDT 2007
Brendan recently committed a well-intended change (URL below) to crew
that adds "." to the python path. This change is ill-advised. Dot is
generally excluded from the python path for security reasons. There is a
general concern, but there is a particular worry when hg is executed by
root.
The stated problem was to make developer testing easier. Since we have
recently agreed on an hgrc feature that allows paths to be added
explicitly, this objective will very shortly be satisfied by a more
appropriate modification. I expect to supply a patch for path update in
the next day or two.
In the meantime, can we undo this change IMMEDIATELY before we forget
about this. It would be very unfortunate for a security error does not
propagate into crew stable!!
With apologies to Brendan, I think that a few more marginal days of
inconvenience is less important than the security risk here.
http://hg.intevation.org/mercurial/crew/rev/980da86fc66a
--
Jonathan S. Shapiro
Managing Directory
The EROS Group, LLC
www.coyotos.org, www.eros-os.org
More information about the Mercurial-devel
mailing list