Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: 8-bit patch for zle_tricky.c

X-seq: zsh-workers 1109
From: Zefram <A.Main@xxxxxxxxxxxxxxxxx>
To: hniksic@xxxxxxxxxxxxxx
Subject: Re: 8-bit patch for zle_tricky.c
Date: Tue, 21 May 1996 00:36:23 +0100 (BST)
Cc: A.Main@xxxxxxxxxxxxxxxxx, hzoli@xxxxxxxxxx, schaefer@xxxxxxx, zsh-workers@xxxxxxxxxxxxxxx
In-reply-to: <199605202308.BAA20042@xxxxxxxxxxxxx> from "Hrvoje Niksic" at May 21, 96 01:08:12 am

>Of course. But the point I was trying to make is that not only setuid
>scripts, but also setuid C programs calling system (and thus unintentionally
>invoking sh) can represent security problems. Which is why IFS is used the
>way it is in bash/ksh.

As I said, it *is* possible for a privileged script to be secure.  IMO
it's up to the person writing such scripts to use the methods
available.  We shouldn't disable a feature just to make this easier.  I
think field splitting should be off by default in zsh, but
SH_WORD_SPLIT or some other option should turn it on.  (Maybe
SH_WORD_SPLIT should do field splitting on words, and SH_FIELD_SPLIT
should do the current filed splitting on parameters.)

In any case, this is not a critical issue, and can wait until after 3.0.

-zefram

References:
- Re: 8-bit patch for zle_tricky.c
  - From: Hrvoje Niksic

Messages sorted by: Reverse Date, Date, Thread, Author