Zsh Mailing List Archive
Messages sorted by:
Re: security risk in source builtin?
- X-seq: zsh-users 6589
- From: Dominik Vogt <dominik.vogt@xxxxxx>
- To: Zsh Users <zsh-users@xxxxxxxxxx>
- Subject: Re: security risk in source builtin?
- Date: Wed, 17 Sep 2003 09:35:24 +0200
- In-reply-to: <20030917065802.GA5374@xxxxxxxxxxxxxxxxx>
- Mail-followup-to: Zsh Users <zsh-users@xxxxxxxxxx>
- Mailing-list: contact zsh-users-help@xxxxxxxxxx; run by ezmlm
- References: <20030916145820.GC4583@xxxxxx> <20030917065802.GA5374@xxxxxxxxxxxxxxxxx>
- Reply-to: dominik.vogt@xxxxxx
On Wed, Sep 17, 2003 at 08:58:02AM +0200, Thomas Köhler wrote:
> Dominik Vogt wrote [2003/09/17]:
> > A colleague and I just noticed that the "source" builtin looks for
> > its argument in the $PATH. I guess that's something POSIX
> > demands, but isn't it also a security risk? In this case, the
> > following happened:
> > $ ls -F
> > test
> > $ cat test
> > echo hello world
> > $ source test
> > /usr/bin/test:3: bad pattern: ^@^F^@(...
> Are you really sure you typed "source" here?
I may have confused the test cases for bash and zsh. Thanks for
pointing that out. However, that does not change my concern that
"source" (as well as ".") is a security risk.
> > Unless it is really important to have this behaviour for
> > compatibility reasons, shouldn't searching the $PATH be at least
> > disabled by default?
> Quoting the manpage:
> source file [ arg ... ]
> Same as ., except that the current directory is always searched
> and is always searched first, before directo- ries in $path.
> Testing myself:
> /tmp> cat test
> echo hello world
> /tmp> ls -l test
> -rw-r--r-- 1 jean-luc jean-luc 17 2003-09-17 08:49 test
> /tmp> . test
> /usr/bin/test:12: parse error near `)'
> /tmp> source test
> hello world
> Seems you have typed ". test" :-)
> . file [ arg ... ]
> Read commands from file and execute them in the
> current shell environment.
> If file does not contain a slash, or if PATH_DIRS
> is set, the shell looks in the components of $path
> to find the directory containing file. Files
> in the current directory are not read unless `.'
> appears somewhere in $path. If a file named
> `file.zwc' is found, is newer than file, and is the
> compiled form (created with the zcompile
> builtin) of file, then commands are read from that
> file instead of file.
> If any arguments arg are given, they become
> the positional parameters; the old positional
> parameters are restored when the file is done
> executing. The exit status is the exit status of
> the last command executed.
Dominik ^_^ ^_^
Messages sorted by: