[java-sig-commits] [Bug 958733] plexus-utils: suspicious shell quoting in org.codehaus.plexus.util.cli
bugzilla at redhat.com
bugzilla at redhat.com
Fri Sep 27 20:11:36 UTC 2013
https://bugzilla.redhat.com/show_bug.cgi?id=958733
Kristian Rosenvold <krosenvold at apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |krosenvold at apache.org
--- Comment #3 from Kristian Rosenvold <krosenvold at apache.org> ---
I am one of the current maintainers of the plexus code in question.
Plexus-utils is mostly used within maven, which (like all the build systems for
java) is not a "safe" execution environment; if someone wants to inject an "rm
-rf /*" into your build system there's probably thousands of different attack
vectors to achieve this. This applies to all modern java build systems and is
not a particular maven problem.
I am mostly trying to establish the actual severity of this issue;
we will gladly accept patches that update the correctness of the quoting
algorithms (or if you can explain it to thickheads like me, I'll even fix it
myself!). The code we're talking about here is ancient (and none of my doing)
and just understanding the problem/consequences is hard enough.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=6h4g1PrjeD&a=cc_unsubscribe
More information about the java-sig-commits
mailing list