[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#95430: acknowledged by developer (Re: Bug#95430: ash: word-splitting changes break shell scripts)

severity 95430 normal

On Mon, Apr 30, 2001 at 07:48:07PM -0700, Zack Weinberg wrote:
> severity 95430 critical
> quit
> I can keep this up just as long as you can.

Everyone around here knows that I just love this game.

> > > (tests) ... except that ash does honor IFS from the environment.  You
> > > realize that this is a gaping security hole, even if IFS is only used
> > > to split the results of expansion?  You realize that it is trivial to
> > > break any shell script on the entire machine that way?
> > 
> > Get a clue, Linux does not allow setuid scripts.
> Irrelevant.  Look up IFS in a bugtraq archive.
> I shan't do your homework for you.

I did.  And guess what, I didn't find one single exploit regarding this
on Linux.  Interestingly, I found one exploit that relied on IFS to be set
to work.

> > You're the one who doesn't get it.  If you are writing shell functions
> > and you need to save the IFS, then you need to save it properly.
> You don't seem to comprehend the difference between shell *functions*
> and shell *scripts*.

Sorry I misread one of your messages.

In any case, your script is still broken.  I'm only working around this
because a related autoconf breakage (#95447) is very widespread.
Debian GNU/Linux 2.2 is out! ( http://www.debian.org/ )
Email:  Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Reply to: