Beware xargs security holes
Wm E. Davidsen Jr
davidsen at sixhub.UUCP
Tue Oct 23 10:41:17 AEST 1990
In article <4203 at umbc3.UMBC.EDU> rouben at math9.math.umbc.edu.UUCP (Rouben Rostamian) writes:
| Why "small and cautious"? To test whether xargs quotes its arguments,
| in an empty directory do:
|
| touch "This is a test"
| find . -print | xargs rm
That's what I mean by small and cautions.
Actually I tried creating a file called "abc;date" to see if the date
command would be executed, and abc#x to see if the comment character
was okay. These worked, but embedded blanks caused problems. Obviously
either (a) a shell is not being called to process this, or (b) the
shell is run with IFS redefined.
Verdict: xenix xargs is better than some, not perfect.
--
bill davidsen - davidsen at sixhub.uucp (uunet!crdgw1!sixhub!davidsen)
sysop *IX BBS and Public Access UNIX
moderator of comp.binaries.ibm.pc and 80386 mailing list
"Stupidity, like virtue, is its own reward" -me
More information about the Comp.unix.shell
mailing list