Security hole comitted to crew

Benoit Boissinot bboissin at gmail.com
Fri Aug 31 10:56:28 CDT 2007


On 8/31/07, Jonathan S. Shapiro <shap at eros-os.com> wrote:
> Brendan recently committed a well-intended change (URL below) to crew
> that adds "." to the python path. This change is ill-advised. Dot is
> generally excluded from the python path for security reasons. There is a
> general concern, but there is a particular worry when hg is executed by
> root.

It doesn't change the PYTHONPATH for hg, only for run-tests.
And it doesn't add '.', but the directory where the test-foo resides.
I agree that this brings some security concerns but it isn't as
alarming as your email sounds.

regards,

Benoit


More information about the Mercurial-devel mailing list