From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-users-return-6587-mason-zsh=primenet.com.au@sunsite.dk>
Received: (qmail 358 invoked from network); 17 Sep 2003 07:15:42 -0000
Received: from ns2.primenet.com.au (HELO primenet.com.au) (203.24.36.3)
  by ns1.primenet.com.au with SMTP; 17 Sep 2003 07:15:42 -0000
Received: (qmail 11545 invoked from network); 17 Sep 2003 07:08:51 -0000
Received: from sunsite.dk (130.225.247.90)
  by proxy.melb.primenet.com.au with SMTP; 17 Sep 2003 07:08:51 -0000
Received: (qmail 11075 invoked by alias); 17 Sep 2003 07:08:33 -0000
Mailing-List: contact zsh-users-help@sunsite.dk; run by ezmlm
Precedence: bulk
X-No-Archive: yes
X-Seq: 6587
Received: (qmail 11065 invoked from network); 17 Sep 2003 07:08:33 -0000
Received: from localhost (HELO sunsite.dk) (127.0.0.1)
  by localhost with SMTP; 17 Sep 2003 07:08:33 -0000
X-MessageWall-Score: 0 (sunsite.dk)
Received: from [217.6.190.222] by sunsite.dk (MessageWall 1.0.8) with SMTP; 17 Sep 2003 7:8:32 -0000
Received: from karnickel.franken.de (localhost [127.0.0.1])
	by karnickel.franken.de (8.12.9/8.12.9) with ESMTP id h8H78VYc019653
	for <zsh-users@sunsite.dk>; Wed, 17 Sep 2003 09:08:31 +0200 (CEST)
Received: (from uucp@localhost)
	by karnickel.franken.de (8.12.9/8.12.2/Submit) with UUCP id h8H78V1r019652
	for zsh-users@sunsite.dk; Wed, 17 Sep 2003 09:08:31 +0200 (CEST)
	(envelope-from jean-luc@picard.franken.de)
Received: by picard.franken.de (Postfix, from userid 1001)
	id D3B315BAC8; Wed, 17 Sep 2003 08:58:02 +0200 (CEST)
Date: Wed, 17 Sep 2003 08:58:02 +0200
From: Thomas =?iso-8859-1?Q?K=F6hler?= <jean-luc@picard.franken.de>
To: Zsh Users <zsh-users@sunsite.dk>
Subject: Re: security risk in source builtin?
Message-ID: <20030917065802.GA5374@picard.franken.de>
Mail-Followup-To: Zsh Users <zsh-users@sunsite.dk>
References: <20030916145820.GC4583@gmx.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="yrj/dFKFPuw6o+aM"
Content-Disposition: inline
In-Reply-To: <20030916145820.GC4583@gmx.de>
X-Operating-System: Linux
X-Editor: VIM - Vi IMproved 6.2 http://www.vim.org/
X-IRC: tirc; Nick: jeanluc
X-URL: http://jeanluc-picard.de/
User-Agent: Mutt/1.5.4i


--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Dominik Vogt wrote [2003/09/17]:
> A colleague and I just noticed that the "source" builtin looks for
> its argument in the $PATH.  I guess that's something POSIX
> demands, but isn't it also a security risk?  In this case, the
> following happened:
>=20
>   $ ls -F
>   test
>   $ cat test
>   echo hello world
>   $ source test
>   /usr/bin/test:3: bad pattern: ^@^F^@(...

Are you really sure you typed "source" here?

> Unless it is really important to have this behaviour for
> compatibility reasons, shouldn't searching the $PATH be at least
> disabled by default?

Quoting the manpage:

       source file [ arg ... ]
              Same  as ., except that the current directory is always searc=
hed
              and is always searched first, before directo- ries in $path.

Testing myself:
    /tmp> cat test
    echo hello world
    /tmp> ls -l test
    -rw-r--r--    1 jean-luc jean-luc       17 2003-09-17 08:49 test
    /tmp> . test
    /usr/bin/test:12: parse error near `)'
    /tmp> source test
    hello world

Seems you have typed ". test" :-)

       . file [ arg ... ]
              Read commands from file and execute them in the
              current shell environment.

              If file does not contain a slash, or if PATH_DIRS
              is set, the shell looks in the components of $path
              to  find the  directory  containing  file.  Files
              in the current directory are not read unless `.'
              appears somewhere in $path.  If a file named
              `file.zwc' is found, is newer than file, and is the
              compiled form  (created  with  the zcompile
              builtin) of file, then commands are read from that
              file instead of file.

              If  any  arguments  arg  are  given,  they become
              the positional parameters; the old positional
              parameters are restored when the file is done
              executing.  The exit status is the exit status of
              the last command executed.


> Ciao
>=20
> Dominik ^_^  ^_^

Ciao,
Thomas

--=20
 Thomas K=F6hler Email:   jean-luc@picard.franken.de     | LCARS - Linux
     <><        WWW:     http://jeanluc-picard.de      | for Computers
                IRC:             jeanluc               | on All Real
               PGP public key available from Homepage! | Starships

--yrj/dFKFPuw6o+aM
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/aAX6TEYXWMJlHuYRAuScAJwIc5NWgglJ2KH9yHFD77QbKZOJHgCeN18i
rMd5qWyDWImBLNBHFlvfXvM=
=zZbd
-----END PGP SIGNATURE-----

--yrj/dFKFPuw6o+aM--