Security problem for the spec file serverside - auto building from tags
3 views
Skip to first unread message
Scott Davis
Jan 24, 2010, 3:54:24 AM1/24/10
to PEAR Farm
http://gist.github.com/285108
on Line 11 you see i include the spec file to get the package info
problem is you could put non friendly stuff in the spec file and it
would execute ... so how do i get around this? any ideas?
scott davis
Jan 24, 2010, 4:07:16 AM1/24/10
to PEAR Farm
Alan Pinstein
Jan 24, 2010, 11:01:59 AM1/24/10
to pear...@googlegroups.com
Oh man I didn't even think of that at first... yeah, that's kind of a
problem.
problem.
Maybe run it in a chroot jail?
Evert
Jan 25, 2010, 2:19:28 AM1/25/10
to PEAR Farm
On Jan 25, 1:01 am, Alan Pinstein <apinst...@mac.com> wrote:
> Oh man I didn't even think of that at first... yeah, that's kind of a
> problem.
>
> Maybe run it in a chroot jail?
>
I would only do this as a temporary measure. In the long run you'll be
better off switching to an xml or php format.
How about actually using the pear package.xml ? Would there be reasons
against this?
Evert
scott davis
Jan 25, 2010, 4:29:03 AM1/25/10
to pear...@googlegroups.com
The whole idea was to mimic pearhubs functionality but using our same spec format .. but this just keeps getting hairy and gross
Reply all
Reply to author
Forward
0 new messages