Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: security risk in source builtin?

Dominik Vogt wrote [2003/09/17]:
> A colleague and I just noticed that the "source" builtin looks for
> its argument in the $PATH.  I guess that's something POSIX
> demands, but isn't it also a security risk?  In this case, the
> following happened:
>   $ ls -F
>   test
>   $ cat test
>   echo hello world
>   $ source test
>   /usr/bin/test:3: bad pattern: ^@^F^@(...

Are you really sure you typed "source" here?

> Unless it is really important to have this behaviour for
> compatibility reasons, shouldn't searching the $PATH be at least
> disabled by default?

Quoting the manpage:

       source file [ arg ... ]
              Same  as ., except that the current directory is always searched
              and is always searched first, before directo- ries in $path.

Testing myself:
    /tmp> cat test
    echo hello world
    /tmp> ls -l test
    -rw-r--r--    1 jean-luc jean-luc       17 2003-09-17 08:49 test
    /tmp> . test
    /usr/bin/test:12: parse error near `)'
    /tmp> source test
    hello world

Seems you have typed ". test" :-)

       . file [ arg ... ]
              Read commands from file and execute them in the
              current shell environment.

              If file does not contain a slash, or if PATH_DIRS
              is set, the shell looks in the components of $path
              to  find the  directory  containing  file.  Files
              in the current directory are not read unless `.'
              appears somewhere in $path.  If a file named
              `file.zwc' is found, is newer than file, and is the
              compiled form  (created  with  the zcompile
              builtin) of file, then commands are read from that
              file instead of file.

              If  any  arguments  arg  are  given,  they become
              the positional parameters; the old positional
              parameters are restored when the file is done
              executing.  The exit status is the exit status of
              the last command executed.

> Ciao
> Dominik ^_^  ^_^


 Thomas Köhler Email:   jean-luc@xxxxxxxxxxxxxxxxx     | LCARS - Linux
     <><        WWW:     http://jeanluc-picard.de      | for Computers
                IRC:             jeanluc               | on All Real
               PGP public key available from Homepage! | Starships

Attachment: pgpUE4637lmNH.pgp
Description: PGP signature

Messages sorted by: Reverse Date, Date, Thread, Author