From: Vincent Lefevre <vincent@vinc17.net>
To: zsh-workers@zsh.org
Subject: Re: glob qualifier '-' doesn't work correctly on dangling symlinks
Date: Wed, 15 Apr 2020 11:17:33 +0200 [thread overview]
Message-ID: <20200415091733.GA2800550@zira.vinc17.org> (raw)
In-Reply-To: <20200415004403.7a974d63@tarpaulin.shahaf.local2>
On 2020-04-15 00:44:03 +0000, Daniel Shahaf wrote:
> Stephane Chazelas wrote on Tue, 14 Apr 2020 13:38 +0100:
[Pathological errors in globbing]
> > What's the worst that can happen if it's not handled "properly"?
>
> Depends on how we handle it, obviously. If we handle it by returning an
> error and aborting the current command line, the worst that can happen
> is that a command line (or script) would be aborted, whereas currently
> it would silently continue execution with wrong data.
For instance, one can imagine a script that would fix permissions
based on a glob like *(W) before making the directory world-readable.
If the error is not reported, some files would be left world-writable
and an attack would be possible due to the directory becoming
world-readable. With an error, the script would be able to detect
the issue or abort (e.g. with "set -e").
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
next prev parent reply other threads:[~2020-04-15 9:18 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-11 15:15 Vincent Lefevre
2020-04-11 17:34 ` Stephane Chazelas
2020-04-11 19:17 ` Vincent Lefevre
2020-04-11 20:37 ` Stephane Chazelas
2020-04-11 23:48 ` Vincent Lefevre
2020-04-12 1:21 ` Daniel Shahaf
2020-04-12 2:17 ` Vincent Lefevre
2020-04-12 7:09 ` Stephane Chazelas
2020-04-12 14:25 ` Vincent Lefevre
2020-04-12 17:34 ` Stephane Chazelas
2020-04-12 23:38 ` Vincent Lefevre
2020-04-13 14:22 ` Stephane Chazelas
2020-04-13 15:00 ` Bart Schaefer
2020-04-13 21:41 ` Vincent Lefevre
2020-04-14 6:18 ` Stephane Chazelas
2020-04-14 12:02 ` Daniel Shahaf
2020-04-14 12:38 ` Stephane Chazelas
2020-04-15 0:44 ` Daniel Shahaf
2020-04-15 9:17 ` Vincent Lefevre [this message]
2020-04-14 17:59 ` Vincent Lefevre
2020-04-12 12:48 ` Peter Stephenson
2020-04-12 14:31 ` Vincent Lefevre
2020-04-12 15:49 ` Peter Stephenson
2020-04-12 23:07 ` Vincent Lefevre
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200415091733.GA2800550@zira.vinc17.org \
--to=vincent@vinc17.net \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).