Security hole comitted to crew
bboissin at gmail.com
Fri Aug 31 10:56:28 CDT 2007
On 8/31/07, Jonathan S. Shapiro <shap at eros-os.com> wrote:
> Brendan recently committed a well-intended change (URL below) to crew
> that adds "." to the python path. This change is ill-advised. Dot is
> generally excluded from the python path for security reasons. There is a
> general concern, but there is a particular worry when hg is executed by
It doesn't change the PYTHONPATH for hg, only for run-tests.
And it doesn't add '.', but the directory where the test-foo resides.
I agree that this brings some security concerns but it isn't as
alarming as your email sounds.
More information about the Mercurial-devel