lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) (02/12/91)
In article <1991Feb11.003937.25848@yarra-glen.aaii.oz.au> pem@yarra-glen.aaii.oz.au (Paul E. Maisano) writes:
: I've had a perl program running inside a set-gid wrapper for a while
: with no problem. I recently started getting an "Insecure PATH" message,
: followed by a core dump. After the latest patch, maybe??
:
: Anyway, the offending line was:
:
: chop($ARCH = `/bin/arch`) unless defined($ARCH);
:
: I had to explicitly set the PATH first, to avoid the problem.
:
: Why should that line tell me that PATH is insecure ? After all, I used
: an explicit path to access the executable inside the backticks.
Several reasons.
1) It would have to distinguish `/bin/arch` from `/bin/arch; foo`.
2) I'm lazy.
3) There's no guarantee that /bin/arch doesn't exec foo using PATH.
4) You should set the PATH anyway. Don't be so lazy. :-)
Larry