[Patch] Updated support for external command handlers
John A Meinel
john at arbash-meinel.com
Tue May 10 00:29:24 BST 2005
Michael Ellerman wrote:
> Before anyone picks me up on it .. I didn't add support for external commands
> in 'bzr help commands', because that would require blindly running everything
> in the $BZRPATH, which could be dangerous, eg.
>
> $ export BZRPATH=~/bin
> $ cat ~/bin/delete-home-directory
> #!/bin/bash
> rm -rf ~
> $ bzr help commands
> ...
> calls ~/bin/delete-home-directory --bzr-description
> ouch!
>
> If anyone can think of a nice way around this let me know.
>
> cheers
I can think of a fix if you only do python scripts. First, things would
be an import rather than a run, which is still a type of execute, but
not as likely to remove your home directory.
Second advantage is that you know it will be a text file, so you can
require the second line to be '# bzr script 1 0' or some such thing.
This gives you a version, and guarantees the file realizes it will be
run by bzr.
You could do something similar for shell scripts, but if you want to
allow arbitrary executables to run, I don't know how to handle that.
My first instinct is to require people to write a shell/python wrapper
for their exe, which can also use this safety check.
I also wonder, though, how you could prevent people from sneaking a file
that you start auto-executing. The best I could think of is an explicit
whitelist of extensions that you would support, and it isn't all that great.
Another possibility, is that if "bzr foo" runs foo.sh, or foo.py, then
"bzr help commands" could list something like:
foo - unknown script, use bzr help commands --run-external to get more info
I think fai handled it with "if it's in your plugin directory, it's safe
to run". Because you *really* should never make ~/bin your plugin directory.
John
=:->
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20050509/686526f9/attachment.pgp
More information about the bazaar
mailing list