From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 536 invoked from network); 7 Jan 2009 20:49:36 -0000 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.2.5 Received: from news.dotsrc.org (HELO a.mx.sunsite.dk) (130.225.247.88) by ns1.primenet.com.au with SMTP; 7 Jan 2009 20:49:36 -0000 Received-SPF: none (ns1.primenet.com.au: domain at sunsite.dk does not designate permitted sender hosts) Received: (qmail 76204 invoked from network); 7 Jan 2009 20:49:31 -0000 Received: from sunsite.dk (130.225.247.90) by a.mx.sunsite.dk with SMTP; 7 Jan 2009 20:49:31 -0000 Received: (qmail 2790 invoked by alias); 7 Jan 2009 20:49:27 -0000 Mailing-List: contact zsh-workers-help@sunsite.dk; run by ezmlm Precedence: bulk X-No-Archive: yes X-Seq: 26254 Received: (qmail 2773 invoked from network); 7 Jan 2009 20:49:27 -0000 Received: from bifrost.dotsrc.org (130.225.254.106) by sunsite.dk with SMTP; 7 Jan 2009 20:49:27 -0000 Received: from mtaout03-winn.ispmail.ntl.com (mtaout03-winn.ispmail.ntl.com [81.103.221.49]) by bifrost.dotsrc.org (Postfix) with ESMTP id 96FBB806EE5C for ; Wed, 7 Jan 2009 21:49:17 +0100 (CET) Received: from aamtaout03-winn.ispmail.ntl.com ([81.103.221.35]) by mtaout03-winn.ispmail.ntl.com (InterMail vM.7.08.04.00 201-2186-134-20080326) with ESMTP id <20090107204917.HEFT7670.mtaout03-winn.ispmail.ntl.com@aamtaout03-winn.ispmail.ntl.com>; Wed, 7 Jan 2009 20:49:17 +0000 Received: from pws-pc.ntlworld.com ([81.107.45.176]) by aamtaout03-winn.ispmail.ntl.com (InterMail vG.2.02.00.01 201-2161-120-102-20060912) with ESMTP id <20090107204917.WLOM2093.aamtaout03-winn.ispmail.ntl.com@pws-pc.ntlworld.com>; Wed, 7 Jan 2009 20:49:17 +0000 Received: from pws-pc (pws-pc [127.0.0.1]) by pws-pc.ntlworld.com (8.14.3/8.14.2) with ESMTP id n07Kn8WT013885; Wed, 7 Jan 2009 20:49:08 GMT Message-Id: <200901072049.n07Kn8WT013885@pws-pc.ntlworld.com> From: Peter Stephenson To: "Zsh Workers" , 162291@bugs.debian.org Subject: Re: Bug in executable completion: unable to handle .. it $PATH In-Reply-To: Message from Bart Schaefer of "Wed, 07 Jan 2009 12:18:19 PST." <090107121819.ZM27726@torch.brasslantern.com> Date: Wed, 07 Jan 2009 20:49:08 +0000 X-Cloudmark-Analysis: v=1.0 c=1 a=kI8piTFKFJUA:10 a=JUj8VBuOHUUA:10 a=NLZqzBF-AAAA:8 a=lISEIs0sXCYpD8x2Z30A:9 a=EbmrNLV3fkduF6naPMR-DTbNEPsA:4 a=fUzIcyR-ki4A:10 X-Virus-Scanned: ClamAV 0.92.1/8842/Wed Jan 7 15:06:50 2009 on bifrost X-Virus-Status: Clean Bart Schaefer wrote: > On Jan 7, 8:09pm, Peter Stephenson wrote: > } > } This is done explicitly in the code, but I have no idea why; it precedes > } the CVS archive. The function isrelative() is only used by hashdir(). > > I believe it's a security thing, so that an inherited $PATH can't fool > someone into executing code from an unexpected place. I don't think that can be it, since this feature is only in the command hashing. If you type the command name in full it will still be executed. So this has virtually no effect on non-interactive use. Since the path is still absolute I don't see how this could effect security, either, except maybe at second hand... if you sanitized the early part of the path but didn't look for "..", so the component could end up pointing out of that area, for example. But that doesn't seem to me to be the shell's problem. -- Peter Stephenson Web page now at http://homepage.ntlworld.com/p.w.stephenson/