Re: 8-bit patch for zle_tricky.c

zsh-workers
 help / color / mirror / code / Atom feed

From: Zefram <A.Main@dcs.warwick.ac.uk>
To: hzoli@cs.elte.hu (Zoltan Hidvegi)
Cc: schaefer@nbn.com, A.Main@dcs.warwick.ac.uk, zsh-workers@math.gatech.edu
Subject: Re: 8-bit patch for zle_tricky.c
Date: Mon, 20 May 1996 22:09:08 +0100 (BST)	[thread overview]
Message-ID: <1222.199605202109@stone.dcs.warwick.ac.uk> (raw)
In-Reply-To: <199605201836.UAA05688@bolyai.cs.elte.hu> from "Zoltan Hidvegi" at May 20, 96 08:36:16 pm

>Yes, the original Bourne Shell used IFS in the lexer to separate words but
>I think that this does not conform the POSIX Shell and Utilities standard.

It's been a while since I read the standard, and I don't have access to
a copy any more, but I'm pretty sure it's required.  I needed to check
this particular matter for some reason.  Can someone with a POSIX shell
or the standard check this?

>Also it may be a security hole if IFS is exported.  That's why bash and
>ksh does not use IFS here, and zsh should not use it either.

It is a security hole, but (a) setuid shell scripts are insecure anyway
on most systems, and (b) there's a way to avoid it:

#!/bin/sh
IFS=' 	
'
echo Note that IFS is now safe.

The above, as a shell script, is secure if setuid on, for example,
Solaris.  Anyone writing setuid scripts should know this technique.

Another solution would be to remove sensitive parameters such as IFS
and LD_* on initialisation if the PRIVILEGED option is set (euid !=
ruid).  Note that a script can already totally clear the exported
environment by doing `typeset +x -m \*`.

-zefram

next prev parent reply	other threads:[~1996-05-20 21:33 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
1996-05-18 11:51 Zefram
1996-05-19 22:34 ` Zoltan Hidvegi
1996-05-20 15:58   ` Zefram
1996-05-20 17:21     ` Zoltan Hidvegi
1996-05-20 17:03       ` Bart Schaefer
1996-05-20 18:36         ` Zoltan Hidvegi
1996-05-20 21:09           ` Zefram [this message]
1996-05-20 22:43             ` Hrvoje Niksic
1996-05-20 22:55               ` Zefram
1996-05-20 23:08                 ` Hrvoje Niksic
1996-05-20 23:36                   ` Zefram
1996-05-20 17:54       ` Zefram
1996-05-20 22:25         ` Hrvoje Niksic
1996-05-20  1:01 ` Zoltan Hidvegi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1222.199605202109@stone.dcs.warwick.ac.uk \
    --to=a.main@dcs.warwick.ac.uk \
    --cc=hzoli@cs.elte.hu \
    --cc=schaefer@nbn.com \
    --cc=zsh-workers@math.gatech.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).