davidsen@sixhub.UUCP (Wm E. Davidsen Jr) (10/24/90)
As a result of all the discussion in a number of groups about the
security holes in xargs, I have posted yargs to alt.sources. It seems to
have avoided the pitfalls discussed recently, if not let me know.
Cross posting is due to lots of discussion in many places, hope you
only see it once.
--
bill davidsen - davidsen@sixhub.uucp (uunet!crdgw1!sixhub!davidsen)
sysop *IX BBS and Public Access UNIX
moderator of comp.binaries.ibm.pc and 80386 mailing list
"Stupidity, like virtue, is its own reward" -mepfalstad@phoenix.Princeton.EDU (Paul John Falstad) (10/24/90)
In article <2148@sixhub.UUCP> davidsen@sixhub.UUCP (bill davidsen) writes: > As a result of all the discussion in a number of groups about the >security holes in xargs, I have posted yargs to alt.sources. It seems to >have avoided the pitfalls discussed recently, if not let me know. It does fix things for severely brain-damaged versions of xargs that call system(3), but it's still susceptible to filenames with newlines in them. In order to fix this you'd have to add the -print0 option to find(1) to have it output filenames terminated with nulls instead of newlines. Then fix yargs so it uses the null as a delimiter instead of a newline. Otherwise a file called "/u/foobar/junk\n/etc/passwd" will get parsed as "/u/foobar/junk" and "/etc/passwd". The problem is not xargs itself but the combination of find and xargs. -- This is a delicate, sensitive, well-brought-up game which does not recognize the word... well, Whatever it was you just said that we do not recognize. What would Miss Manners say? Who the fuck do you think you are, anyway? Please use another, nice word instead.