Re: Bug#95430: acknowledged by developer (Re: Bug#95430: ash: word-splitting changes break shell scripts)
severity 95430 normal
quit
On Mon, Apr 30, 2001 at 07:48:07PM -0700, Zack Weinberg wrote:
> severity 95430 critical
> quit
>
> I can keep this up just as long as you can.
Everyone around here knows that I just love this game.
> > > (tests) ... except that ash does honor IFS from the environment. You
> > > realize that this is a gaping security hole, even if IFS is only used
> > > to split the results of expansion? You realize that it is trivial to
> > > break any shell script on the entire machine that way?
> >
> > Get a clue, Linux does not allow setuid scripts.
>
> Irrelevant. Look up IFS in a bugtraq archive.
> I shan't do your homework for you.
I did. And guess what, I didn't find one single exploit regarding this
on Linux. Interestingly, I found one exploit that relied on IFS to be set
to work.
> > You're the one who doesn't get it. If you are writing shell functions
> > and you need to save the IFS, then you need to save it properly.
>
> You don't seem to comprehend the difference between shell *functions*
> and shell *scripts*.
Sorry I misread one of your messages.
In any case, your script is still broken. I'm only working around this
because a related autoconf breakage (#95447) is very widespread.
--
Debian GNU/Linux 2.2 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Reply to: