On Tue, 2006-10-17 at 08:29 +0200, Ludovic Drolez wrote:
> On the contrary, the quoting is done to avoid problem with quotes in
> filenames (before that I was unable to index files with single quotes or
> double quotes, and specialy crafted filenames could lead to arbitrary
> command invocations :-( ).
Right, a file named something like '/path/to/'&& rm -Rf /'&&echo .pdf'
could erase files.
> Maybe something needs to be updated in the docs ?
Yes, ultimately the problem is that people are still using quotes around
filenames in their Filefilter directive. Even if we switched to
fork-exec users would need to stop single-quoting their filenames in
David L Norris
ICQ - 412039
Received on Wed Oct 18 06:33:31 2006