Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(10827)
Issues Repositories Search
Open Issues | Closed Issues | All Issues | Sign in with your Google Account to create issues and add comments

Issue 563650043: Don't add . to PATH in Make

Can't Edit
Can't Publish+Mail
Start Review
Created:
4 years, 1 month ago by dak
Modified:
4 years, 1 month ago
Reviewers:
lemzwerg, hanwenn
CC:
lilypond-devel_gnu.org
Visibility:
Public.

Description

Don't add . to PATH in Make That was apparently done by accident and may draw unexpected executable files into the action.

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+1 line, -1 line) Patch
M make/lilypond-vars.make View 1 chunk +1 line, -1 line 0 comments Download

Messages

Total messages: 3
lemzwerg
LGTM
4 years, 1 month ago (2020-03-04 06:23:14 UTC) #1
hanwenn
LGTM
4 years, 1 month ago (2020-03-04 07:54:46 UTC) #2
hanwenn
4 years, 1 month ago (2020-03-04 08:07:19 UTC) #3 
On 2020/03/04 07:54:46, hanwenn wrote:
> LGTM

Can you update the commit message though? I don't think there is a security
problem here.

Adding . in $PATH is a security problem on multi-user systems. In the context of
the build, you can regard this from two angles:

- you're executing in a known environment (ie. the build or src dir), so the
multi-user concern doesn't hold

- you're executing build commands that were probably downloaded from a
potentially untrusted source, so you're SOL anyway.
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b