It appears that tinderbox has a security hole. Several times, we use system() calls to call scripts with args, this is a Bad Thing (tm). We should use the argument form of system() or replace the .pl scripts with .pm's and call them with use. I talked to dmose on irc about this, and it appears real (though I wouldn't bet my life on it). Anyway, if it isn't, it doesn't really matter.
tinderbox client or server? Can you point out a specific example?
Target Milestone: --- → Future
i'd suspect server since the client isn't web interactive
switched to arg form of system call for all system() calls in the server that made sense. marking fixed.
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.