Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: security risk in source builtin?

On Wed, Sep 17, 2003 at 06:24:20PM +0800, James Devenish wrote:
> In message <20030916145820.GC4583@xxxxxx>
> on Tue, Sep 16, 2003 at 04:58:20PM +0200, Dominik Vogt wrote:
> > but isn't it also a security risk?  In this case, the
> > following happened:
> > 
> >   $ ls -F
> >   test
> >   $ cat test
> >   echo hello world
> >   $ source test
> >   /usr/bin/test:3: bad pattern: ^@^F^@(...
> Could you please explain to me how this is a security risk? Are you
> merely trying to say that is offers the possibility of the wrong command
> being executed, or are you saying it could lead to some exploitable
> condition such as execution of a file that could not normally be
> executed?

To the casual user, it is not obvious why the $PATH should be
searched.  After all, scripts read with "source" or "." should
usually not be executable, so they do not belong into any
directory in the $PATH.  On the other hand scripts in the $PATH
normally begin with "#!<path to parser>" and should never be read
with "source" or "." (it's not guaranteed that the "#" character
introduces a comment).

This is not a vulnenrability per se and is not exploitable unless
the user makes an additional mistake (like using "." in the PATH).

The security risk here is that it is by no means obvious that or
why the $PATH is searched for the script.  At the very least, I
think "source" and "." should not attempt to read files in the
$PATH that are not executable.  Of course this is only my mersonal

> How is this different to simply feeding arbitrary bytes to the
> command line with your terminal or pipe?

Only in the way it is invoked.

P.S.:  I'm now subscribed to the mailing list.  It's not necessary
to answer to me personally.


Dominik ^_^  ^_^

Messages sorted by: Reverse Date, Date, Thread, Author