From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from euclid.skiles.gatech.edu (list@euclid.skiles.gatech.edu [130.207.146.50]) by melb.werple.net.au (8.7.5/8.7.3) with ESMTP id KAA27504 for ; Tue, 21 May 1996 10:00:26 +1000 (EST) Received: (from list@localhost) by euclid.skiles.gatech.edu (8.7.3/8.7.3) id TAA16682; Mon, 20 May 1996 19:39:51 -0400 (EDT) Resent-Date: Mon, 20 May 1996 19:39:51 -0400 (EDT) From: Zefram Message-Id: <7771.199605202336@stone.dcs.warwick.ac.uk> Subject: Re: 8-bit patch for zle_tricky.c To: hniksic@public.srce.hr Date: Tue, 21 May 1996 00:36:23 +0100 (BST) Cc: A.Main@dcs.warwick.ac.uk, hzoli@cs.elte.hu, schaefer@nbn.com, zsh-workers@math.gatech.edu In-Reply-To: <199605202308.BAA20042@jagor.srce.hr> from "Hrvoje Niksic" at May 21, 96 01:08:12 am X-Loop: zefram@dcs.warwick.ac.uk X-Stardate: [-31]7534.91 X-US-Congress: Moronic fuckers MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Resent-Message-ID: <"nRCg22.0.a44.7BGen"@euclid> Resent-From: zsh-workers@math.gatech.edu X-Mailing-List: archive/latest/1109 X-Loop: zsh-workers@math.gatech.edu Precedence: list Resent-Sender: zsh-workers-request@math.gatech.edu >Of course. But the point I was trying to make is that not only setuid >scripts, but also setuid C programs calling system (and thus unintentionally >invoking sh) can represent security problems. Which is why IFS is used the >way it is in bash/ksh. As I said, it *is* possible for a privileged script to be secure. IMO it's up to the person writing such scripts to use the methods available. We shouldn't disable a feature just to make this easier. I think field splitting should be off by default in zsh, but SH_WORD_SPLIT or some other option should turn it on. (Maybe SH_WORD_SPLIT should do field splitting on words, and SH_FIELD_SPLIT should do the current filed splitting on parameters.) In any case, this is not a critical issue, and can wait until after 3.0. -zefram