Beware xargs security holes
Paul John Falstad
pfalstad at phoenix.Princeton.EDU
Mon Oct 22 14:59:24 AEST 1990
In article <2113 at sixhub.UUCP> davidsen at sixhub.UUCP (bill davidsen) writes:
> It *appears* that xenix quotes its arguments in xargs, since I did a
>small and cautious test and it worked all right. How about testing your
Even if the arguments are quoted, xargs still presents a security
problem if it calls system. Just about any program that runs a shell is
unsecure. If your system's xargs calls system, then someone could just create
a file with the quote character in it. The only really safe way is to do an
execve.
--
Paul Falstad, pfalstad at phoenix.princeton.edu PLink:HYPNOS GEnie:P.FALSTAD
And Dinsdale said, "You've been a naughty boy, Clement," and splits me nostrils
open, and saws me leg off, and pulls me liver out. And I said, "My name's not
Clement." And then he loses his temper. And he nails me head to the floor.
More information about the Comp.unix.shell
mailing list