0001-diff-don-t-mistreat-N-in-arg-as-a-large-number.patchDescription: Text Data
|
| From: | Paul Eggert |
| Subject: | [bug-diffutils] bug#35256: bug#35256: Bug report for -W argument (maximum width) - minor and not dangerous |
| Date: | Tue, 27 Aug 2019 16:23:08 -0700 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 |
address@hidden wrote:
I know diff is used by A LOT of other programs, some of which are web-accessible
I'm afraid that ship sailed a while ago: if you let a remote attacker specify an arbitrary option to GNU diff there is lots of other trouble you can get into. For example, the -I option lets the attacker specify a regular expression that can cause diff to undergo exponential complexity. The general wisdom nowadays is to not expose command-line operands to attackers.
As for putting in a limit, the GNU Coding Standards say to not impose arbitrary limits. In some cases there are good reasons to impose a limit anyway but this one doesn't seem to rise to that level.
You do raise a good point that 'diff' shouldn't treat negative inputs as if they were large positive inputs, so I installed the attached patch.
Thanks for reporting the problem; your bug report was a pleasure to read.
0001-diff-don-t-mistreat-N-in-arg-as-a-large-number.patch
Description: Text Data
| [Prev in Thread] | Current Thread | [Next in Thread] |