Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Bug in executable completion: unable to handle .. it $PATH

X-seq: zsh-workers 26254
From: Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
To: "Zsh Workers" <zsh-workers@xxxxxxxxxx>, 162291@xxxxxxxxxxxxxxx
Subject: Re: Bug in executable completion: unable to handle .. it $PATH
Date: Wed, 07 Jan 2009 20:49:08 +0000
In-reply-to: Message from Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx> of "Wed, 07 Jan 2009 12:18:19 PST." <090107121819.ZM27726@xxxxxxxxxxxxxxxxxxxxxx>
Mailing-list: contact zsh-workers-help@xxxxxxxxxx; run by ezmlm

Bart Schaefer wrote:
> On Jan 7,  8:09pm, Peter Stephenson wrote:
> }
> } This is done explicitly in the code, but I have no idea why; it precedes
> } the CVS archive.  The function isrelative() is only used by hashdir().
> 
> I believe it's a security thing, so that an inherited $PATH can't fool
> someone into executing code from an unexpected place.

I don't think that can be it, since this feature is only in the command
hashing.  If you type the command name in full it will still be
executed.  So this has virtually no effect on non-interactive use.

Since the path is still absolute I don't see how this could effect
security, either, except maybe at second hand... if you sanitized the
early part of the path but didn't look for "..", so the component could
end up pointing out of that area, for example.  But that doesn't seem to
me to be the shell's problem.

-- 
Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
Web page now at http://homepage.ntlworld.com/p.w.stephenson/

Follow-Ups:
- Re: Bug in executable completion: unable to handle .. it $PATH
  - From: Richard Hartmann

References:
- Re: Bug in executable completion: unable to handle .. it $PATH
  - From: Bart Schaefer

Messages sorted by: Reverse Date, Date, Thread, Author