On 2020/03/04 07:54:46, hanwenn wrote:
> LGTM
Can you update the commit message though? I don't think there is a security
problem here.
Adding . in $PATH is a security problem on multi-user systems. In the context of
the build, you can regard this from two angles:
- you're executing in a known environment (ie. the build or src dir), so the
multi-user concern doesn't hold
- you're executing build commands that were probably downloaded from a
potentially untrusted source, so you're SOL anyway.
Issue 563650043: Don't add . to PATH in Make
Created 4 years, 1 month ago by dak
Modified 4 years, 1 month ago
Reviewers: lemzwerg, hanwenn
Base URL:
Comments: 0