jte@psuvax1.UUCP (Jon Eckhardt) (05/03/87)
We recently converted our 4.2 BSD vaxen to 4.3 and noticed that
we no longer had the sources to programs that we thought we had.
One of the most important programs that we needed and could not
find was the great unshar program. I can not count the number of
times that I have used this command. Now I find that our system
is lacking this command and I started on a hunt of all *.sources
ftp sites w/ no luck. So, will some happy netter please tell me
where I can get a copy of unshar, or could you mail me a copy of
this great program? Thanks a lot. (And two beers to the writer)
Jon Eckhardt | jte@psuvax1.BITNET
736 W. Hamilton Ave. | jte@psuecl.BITNET (VMS account)
State College, PA 16801 | jte@psuvaxg.BITNET (Last resort for bitnet)
---------------------------------------------------------------------------
UUCP = <allegra,ihnp4,atcgva,burdvax,purdue>!psuvax1!jte
---------------------------------------------------------------------------
PSU #1 Phone: 814-237-1901 Work: (leave message) 814-865-9505 PSU #1mcb@styx.UUCP (Michael C. Berch) (05/14/87)
I must be dreaming or something ... I have been successfully
extracting "shar" format fines with the (Bourne) shell for quite a
while. What on earth could an "unshar" program do that the shell
cannot? If you are security-minded you might want to grep for the
extraction lines to see where the files are going to be written, but
that's a rather minor concern, and only takes a second even if you
do it by hand.
Michael C. Berch / mcb@lll-tis-b.arpa
UUCP: {ames,ihnp4,lll-crg,lll-lcc,mordor}!styx!mcb (now)
UUCP: {ames,ihnp4,lll-crg,lll-lcc,mordor}!lll-tis!mcb (15 May and thereafter)rdm@cfcl.UUCP (05/15/87)
In article <21446@styx.UUCP>, mcb@styx.UUCP (Michael C. Berch) writes: > ... What on earth could an "unshar" program do that the shell > cannot? If you are security-minded you might want to grep for the > extraction lines to see where the files are going to be written, but > that's a rather minor concern, and only takes a second even if you > do it by hand. There are a number of trojan horses that can be installed in a shar file, and grepping the extraction lines will not find most of them. While I don't feel like posting recipes for them over the net, I submit that a bit of devious thought will yield several possibilities in a hurry. The "unshar" program is one approach to a solution; my own "sharks" is another. Neither is "complete", as I can think of two approaches that will pass through either one of them. They both, however, deal with some of the most blatant kinds of attacks. I am glad that you have had no problem with trojan horses in shar files. Neither have I, for what it's worth. My small contribution (sharks) to the tide of paranoia keeps me feeling a bit more secure about using shar files, however, and I will continue to use it. Since it is small, and postnews complains about small source postings, I will include it here: : # sharks - SHell ARchive checK Script (Version 5) # # The "shar" utility is really a neat hack, but it scares me silly # from a security perspective. I DON'T LIKE giving my session over # to someone else's script, despite the fact that I can take a few # precautions. Scanning a shar file for gotchas is impractical, # since it takes too much time, and one can still miss things. # Besides, there is even a nifty gotcha I saw that causes vi to # perform commands while reading in a file(!) # # So, I wrote this piece of paranoid code to help me scan shar files # in a reasonably efficient manner. It throws away all the here # document text (using a somewhat naive algorithm), then throws away # command lines it (quite conservatively) thinks are safe. The rest # of the text goes to standard output, for storage and/or perusal. # # I'm sure it isn't foolproof. (It doesn't even TRY to look at the # code that is being unpacked...) Still, the resulting output is # short and sweet, and it tells me everything I want to know before # submitting my session to the file... # # Usage: sharks foo bar ... # # Copyright (C) 1986, Richard Morin. All Rights Reserved. # # Use it (at your own risk, of course), but don't sell it. Also, # please let me know about any problems and/or improvements you find. # # Version 2 - looks for backquotes in "unquoted" here documents. # Version 3 - transmits more robustly. # Version 4 - avoid occasional sed commenting road mine # Version 5 - tighten up sed script a bit # # Richard Morin, proprietor {hoptoad,leadsv,lll-lcc}!cfcl!rdm # Canta Forda Computer Lab. +1 415 994 6860 # Post Office Box 1488 Full spectrum consulting services # Pacifica, CA 94044 USA for science and engineering. # # P.S. Long live awk, sed, and sh ! ! ! P='[0-9A-Za-z_-][0-9A-Za-z_-]*' # pattern for sed script Q='[^`;|(>]*' # ditto cat $* | # collect input files tr '\011' ' ' | # kill off tabs awk ' # kill off here document text { if (hd != "") { # here document text ss2 = $0 # get test string while (substr(ss2,1,1) == " ") ss2 = substr(ss2,2) if (index(ss2,ss) == 1) { # end of here text hd = "" next } if (hd == "nq" && index(ss2,"`") != 0) print "sharks: DANGER! - backquotes in unquoted here document." } else # not here document text print $0 } /<</ { # start of here document? if (hd != "") # no, already in one next ss = $0 # yes, set up flags ss = substr(ss,index(ss,"<<")+2) while (substr(ss,1,1) == " ") ss = substr(ss,2) fc = substr(ss,1,1) if (fc == "'\''") { # single quotes used hd = "sq" ss = substr(ss,2) ssq = index(ss,"'\''") ss = substr(ss,1,ssq-1) } else if (fc == "\"") { # double quotes used hd = "dq" ss = substr(ss,2) ssq = index(ss,"\"") ss = substr(ss,1,ssq-1) } else { # no quotes used if (fc == "\\") { hd = "bs" ss = substr(ss,2) } else { hd = "nq" print "sharks: CAUTION! - unquoted here document." } if ((sse = index(ss," ")) > 1) ss = substr(ss,1,sse-1) } } ' | # # Note that this code is more than a little bit paranoid. Keep it # that way... The code is also rather sprawling, since there seem # to be about twenty gazillion different versions of shar floating # about. Last, if you don't know what it is, don't play with it!! # # kill off shar noise sed ' /^ *\/bin\/echo '$Q'$/d /^ *\/bin\/echo '$Q'; \/bin\/ls '$Q'$/d /^ *\/bin\/ls '$Q'$/d /^ *echo '$Q'$/d /^ *echo '$Q\($Q\)\'' *$/d /^ *echo '$Q'; ls '$Q'$/d /^ *echo '$Q'`wc '$Q'` *$/d /^ *else *$/d /^ *exit *[0-9]* *$/d /^ *fi *$/d /^ *fi #'$Q'$/d /^ *if \[ [0-9A-Za-z]*\$'$P' = '$P' ]; then *$/d /^ *if \[ `wc -c < '$Q'` != '$P' ]; then *$/d /^ *if test -f '\'$Q\'' *$/d /^ *if test '$P' != \$1 *$/d /^ *if test '$P' -ne "`wc -c '$Q'`" *$/d /^ *if test '$P' -ne "`wc -c '\'$Q\''`" *$/d /^ *if test '$P' -ne "`wc -c < '\'$Q\''`" *$/d /^ *ls '$Q'$/d /^ *set `sum '$Q'` *$/d /^ *then *$/d /^ *wc '$Q' | sed '$Q' | diff -b \$'$P' - *$/d /^ *'$P'='$P' *$/d ' exit 0 # sh doesn't like signature text... -- Richard Morin, proprietor {hoptoad,ptsfa}!cfcl!rdm Canta Forda Computer Lab. +1 415 994 6860 Copyright 1987, Richard Morin; no redistribution restrictions allowed.