From: Dominik Vogt <zsh-users@sunsite.dk>
To: Zsh Users <zsh-users@sunsite.dk>
Subject: Re: security risk in source builtin?
Date: Wed, 17 Sep 2003 14:52:30 +0200 [thread overview]
Message-ID: <20030917125230.GA3539@gmx.de> (raw)
In-Reply-To: <20030917114853.GB5827@mail.guild.uwa.edu.au>
On Wed, Sep 17, 2003 at 07:48:53PM +0800, James Devenish wrote:
> In message <20030917110731.GA535@gmx.de>
> on Wed, Sep 17, 2003 at 01:07:31PM +0200, Dominik Vogt wrote:
> > > > $ source test
> > > > /usr/bin/test:3: bad pattern: ^@^F^@(...
> [...]
> > To the casual user, it is not obvious why the $PATH should be
> > searched. After all, scripts read with "source" or "." should
> > usually not be executable, so they do not belong into any
> > directory in the $PATH.
> [...]
> > At the very least, I
> > think "source" and "." should not attempt to read files in the
> > $PATH that are not executable. Of course this is only my mersonal
>
> As you mentioned, the . command is provided by the POSIX shell. I would
> expect that changing its behaviour would cause existing scripts to fail,
> as well as affecting portability. I think that it is bad to be scripting
> with ". test" if you desire the semantics of ". ./test" (in the case
> that you use "./test", $path will not be searched). You are right that
> it is a "trap" to fall into, but there is a definite difference between
> ". test" and ". ./test" and it is probably more important that authors
> code carefully (as always applies to coding).
Okay, this is what POSIX says for ".":
If file does not contain a slash, the shell shall use the search
path specified by PATH to find the directory containing file.
Unlike normal command search, however, the file searched for by
the dot utility need not be executable.
which is implemented correctly in zsh, but not in bash (who cares
;-) ) or pdksh. I.e. zsh looks in the $PATH only while bash tries
. if $PATH fails. "source" is not part of POSIX. So it seems the
security problem is in the POSIX spec itself :-P
Ciao
Dominik ^_^ ^_^
prev parent reply other threads:[~2003-09-17 12:51 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-16 14:58 Dominik Vogt
2003-09-17 6:58 ` Thomas Köhler
2003-09-17 7:35 ` Dominik Vogt
2003-09-17 12:42 ` Phil Pennock
[not found] ` <20030917102420.GA2522@mail.guild.uwa.edu.au>
2003-09-17 11:07 ` Dominik Vogt
2003-09-17 11:48 ` James Devenish
2003-09-17 12:52 ` Dominik Vogt [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030917125230.GA3539@gmx.de \
--to=zsh-users@sunsite.dk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).