Beware xargs security holes
2656-Daniel R. Levy00000000000
levy at mtcchi.uucp
Mon Oct 29 16:58:26 AEST 1990
>>But it's still susceptible to filenames with carriage returns, and will
>>be until find has a -print0 option. Please, please, please don't claim
>>that your xargs is by any means secure when a standard command like
>>
>> find / -name '#*' -atime +7 -print | xargs rm
>>
>>lets a malicious user remove every file on the system. Maybe it's
>>unreasonable of me to want others to live up to my standard of security,
>>but in my eyes no \n-parsing xargs qualifies as ``a good job.'' Sorry.
For a brief moment there I thought one could do an end run by telling
find not to match files whose names contain newline (e.g. ! -name '*^J*'
where ^J is an actual newline character). But alas, that does not exclude
files within directories whose names (the directories' that is) contain
newlines. Oh well.
--
* Daniel R. Levy * uunet!tellab5!mtcchi!levy * |
* These views are live; they are not Memorex' * --+--
"Because we love something else more than this world we love even |
this world better than those who know no other" -- C. S. Lewis |
More information about the Comp.unix.shell
mailing list