yargs posted to alt.sources
Paul John Falstad
pfalstad at phoenix.Princeton.EDU
Wed Oct 24 13:05:00 AEST 1990
In article <2148 at sixhub.UUCP> davidsen at sixhub.UUCP (bill davidsen) writes:
> As a result of all the discussion in a number of groups about the
>security holes in xargs, I have posted yargs to alt.sources. It seems to
>have avoided the pitfalls discussed recently, if not let me know.
It does fix things for severely brain-damaged versions of xargs that
call system(3), but it's still susceptible to filenames with newlines in them.
In order to fix this you'd have to add the -print0 option to find(1) to have
it output filenames terminated with nulls instead of newlines. Then fix yargs
so it uses the null as a delimiter instead of a newline. Otherwise a file
called "/u/foobar/junk\n/etc/passwd" will get parsed as
"/u/foobar/junk" and "/etc/passwd". The problem is not xargs itself but
the combination of find and xargs.
--
This is a delicate, sensitive, well-brought-up game which does not recognize
the word... well, Whatever it was you just said that we do not recognize.
What would Miss Manners say? Who the fuck do you think you are, anyway?
Please use another, nice word instead.
More information about the Comp.unix.misc
mailing list