From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from euclid.skiles.gatech.edu (list@euclid.skiles.gatech.edu [130.207.146.50]) by melb.werple.net.au (8.7.5/8.7.3) with ESMTP id JAA26189 for ; Tue, 21 May 1996 09:18:05 +1000 (EST) Received: (from list@localhost) by euclid.skiles.gatech.edu (8.7.3/8.7.3) id TAA15741; Mon, 20 May 1996 19:01:32 -0400 (EDT) Resent-Date: Mon, 20 May 1996 19:01:32 -0400 (EDT) From: Zefram Message-Id: <5723.199605202255@stone.dcs.warwick.ac.uk> Subject: Re: 8-bit patch for zle_tricky.c To: hniksic@public.srce.hr Date: Mon, 20 May 1996 23:55:09 +0100 (BST) Cc: A.Main@dcs.warwick.ac.uk, hzoli@cs.elte.hu, schaefer@nbn.com, zsh-workers@math.gatech.edu In-Reply-To: <199605202243.AAA17633@jagor.srce.hr> from "Hrvoje Niksic" at May 21, 96 00:43:29 am X-Loop: zefram@dcs.warwick.ac.uk X-Stardate: [-31]7534.77 X-US-Congress: Moronic fuckers MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Resent-Message-ID: <"ScuiQ1.0.tr3.CdFen"@euclid> Resent-From: zsh-workers@math.gatech.edu X-Mailing-List: archive/latest/1107 X-Loop: zsh-workers@math.gatech.edu Precedence: list Resent-Sender: zsh-workers-request@math.gatech.edu >As far as I understand, the other problem is with setuid programs calling >other programs with system(), like: >system("/bin/date"); >to output date. If the IFS contains '/', someone might have a program named >bin in their path, and then... There's a simple solution to that. Set IFS before using system. IMO, setuid programs shouldn't be using system(3), but it is possible to do it safely. -zefram