oss-security - Re: Shell wildcards considered dangerous?

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <20191209151808.GA35251@orca>
Date: Mon, 9 Dec 2019 15:18:08 +0000
From: Leonid Isaev <leonid.isaev@...x.com>
To: oss-security@...ts.openwall.com
Subject: Re: Shell wildcards considered dangerous?

On Mon, Dec 09, 2019 at 03:42:47PM +0100, Noel Kuntze wrote:
> That is only a problem if the developer(s) foolishly didn't use "--" to
> terminate the command line options or they did, but the argument parser of
> the called program does not understand that "--" is a command line option
> terminator.

I'm sorry, but this has nothing to do with developers of PROGRAM to use or not
user "--", but rather with the user not properly sanitizing the input to the
PROGRAM and not understanding how shell works. Specifically, doing
PROGRAM *.tar is just asking for trouble for many reasons, not mentioned in the
original email. See [1] (and in general BashPitfalls) for a proper discussion...

HTH,
L.

[1] https://mywiki.wooledge.org/BashPitfalls#for_f_in_.24.28ls_.2A.mp3.29

-- 
Leonid Isaev
Linux Support Engineer
iFAX Solutions, Inc.
www.ifax.com

+1.215.825.8700 ext 8126 (office)
+1.215.825.8767 (fax)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.