From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 13311 invoked from network); 17 Sep 2003 12:15:53 -0000 Received: from sunsite.dk (130.225.247.90) by ns1.primenet.com.au with SMTP; 17 Sep 2003 12:15:53 -0000 Received: (qmail 29252 invoked by alias); 17 Sep 2003 12:15:39 -0000 Mailing-List: contact zsh-users-help@sunsite.dk; run by ezmlm Precedence: bulk X-No-Archive: yes X-Seq: 6592 Received: (qmail 21828 invoked from network); 17 Sep 2003 11:48:58 -0000 Received: from localhost (HELO sunsite.dk) (127.0.0.1) by localhost with SMTP; 17 Sep 2003 11:48:58 -0000 X-MessageWall-Score: 0 (sunsite.dk) Received: from [130.95.128.56] by sunsite.dk (MessageWall 1.0.8) with SMTP; 17 Sep 2003 11:48:57 -0000 Received: from 127.0.0.1 (localhost [127.0.0.1]) by dummy.domain.name (Postfix) with SMTP id A6FE2366EDB for ; Wed, 17 Sep 2003 19:48:55 +0800 (WST) Received: from gulag.gu.uwa.edu.au (gulag.gu.uwa.edu.au [130.95.100.5]) by asclepius.uwa.edu.au (Postfix) with ESMTP id 9FD8F366C1A for ; Wed, 17 Sep 2003 19:48:55 +0800 (WST) Received: from gulag.gu.uwa.edu.au (devenish@localhost [127.0.0.1]) by gulag.gu.uwa.edu.au (8.12.3/8.12.3/Debian-6.4) with ESMTP id h8HBms3a007147 for ; Wed, 17 Sep 2003 19:48:54 +0800 Received: (from devenish@localhost) by gulag.gu.uwa.edu.au (8.12.3/8.12.3/Debian-6.4) id h8HBmsEA007145 for zsh-users@sunsite.dk; Wed, 17 Sep 2003 19:48:54 +0800 Date: Wed, 17 Sep 2003 19:48:53 +0800 From: James Devenish To: Zsh Users Subject: Re: security risk in source builtin? Message-ID: <20030917114853.GB5827@mail.guild.uwa.edu.au> Mail-Followup-To: Zsh Users References: <20030916145820.GC4583@gmx.de> <20030917102420.GA2522@mail.guild.uwa.edu.au> <20030917110731.GA535@gmx.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030917110731.GA535@gmx.de> User-Agent: Mutt/1.3.28i In message <20030917110731.GA535@gmx.de> on Wed, Sep 17, 2003 at 01:07:31PM +0200, Dominik Vogt wrote: > > > $ source test > > > /usr/bin/test:3: bad pattern: ^@^F^@(... [...] > To the casual user, it is not obvious why the $PATH should be > searched. After all, scripts read with "source" or "." should > usually not be executable, so they do not belong into any > directory in the $PATH. [...] > At the very least, I > think "source" and "." should not attempt to read files in the > $PATH that are not executable. Of course this is only my mersonal As you mentioned, the . command is provided by the POSIX shell. I would expect that changing its behaviour would cause existing scripts to fail, as well as affecting portability. I think that it is bad to be scripting with ". test" if you desire the semantics of ". ./test" (in the case that you use "./test", $path will not be searched). You are right that it is a "trap" to fall into, but there is a definite difference between ". test" and ". ./test" and it is probably more important that authors code carefully (as always applies to coding).