Beware xargs security holes
Dan Bernstein
brnstnd at kramden.acf.nyu.edu
Wed Oct 10 05:53:39 AEST 1990
In article <63404 at iuvax.cs.indiana.edu> sahayman at iuvax.cs.indiana.edu (Steve Hayman) writes:
> >Yeah. xargs should have a -0 option for taking null-separated filenames
> >for its input. find should have a -print0 option for producing similar
> >output.
> So long as you have to modify "find" anyway to solve this problem, why
> not just add "-xargs" option to "find", that would be like the "-exec"
> option only using as many file names as possible at once.
> find .... -xargs rm {} \;
> Seems simpler than modifying two programs.
On the general grounds of ``modularity'' I'll claim that the separate
commands are more useful. I imagine commands other than xargs being able
to take that 0-terminated list and do something with it.
Modularity aside, it's much, much simpler to add -0 to xargs (a few
lines added) and -print0 to find (just change a \n to \0) than to add
all of the argument handling of xargs into find.
---Dan
More information about the Comp.unix.shell
mailing list