From 59527de76708616bc8966d0ced3577573c3062b6 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 22 Aug 2009 14:29:18 -0400 Subject: [PATCH] uh oh --- doc/plugins/contrib/cvs/discussion.mdwn | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/plugins/contrib/cvs/discussion.mdwn b/doc/plugins/contrib/cvs/discussion.mdwn index 65b6befd1..b063a53c2 100644 --- a/doc/plugins/contrib/cvs/discussion.mdwn +++ b/doc/plugins/contrib/cvs/discussion.mdwn @@ -31,6 +31,11 @@ the "cvs add " call and avoid doing anything in that case? >>> should only be built with execv() if the cvs plugin is loaded? >>> --[[schmonz]] +>>>> Hadn't considered that. While in wrapper mode the normal getopt is not +>>>> done, plugin getopt still runs, and so any unsafe options that +>>>> other plugins support could be a problem if another user runs +>>>> the setuid wrapper and passes those options through. --[[Joey]] + > Thing 2 I'm less sure of. (I'd like to see the web UI return > immediately on save anyway, to a temporary "rebuilding, please wait > if you feel like knowing when it's done" page, but this problem -- 2.26.2