Subject: Re: File names and security...
To: None <current-users@NetBSD.ORG>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
Date: 06/12/1997 08:19:37
> If 'xargs' is currently so broken that it runs the command thru
> 'sh -c' first or something, then we deserve to be bitten by this.
No, it doesn't; but you've misunderstood the problem.
> ...which means that "rm" gets called with, say "foo; chmod 666 /etc/passwd"
> or "foo\nchmod 666 /etc/passwd" (s/passwd/master.&/g) which would
> properly produce [an error]
The problem isn't embedding commands. The problem is, if someone has
(say) a file /tmp/foo\n/etc/master.passwd (which is trivial to create,
if that oddly-named directory doesn't already exist), and root runs
# find /tmp/. -.... -print | xargs rm
then xargs will take the \n in the filename as an argument-separating
newline and cheerfully nuke /etc/master.passwd.
Of course, making it
# find /tmp/. -.... -print0 | xargs -0 rm
will cure this...but those are nonstandard. (I have never been able to
figure out what POSIX xargs is supposed to be good for; it not only has
this problem but also does a lot more parsing on its input, making it
essentially useless for the stuff it normally gets used for. A
_useful_ xargs is so trivial to write that I see no excuse for not
always having one on hand. (I will happily mail mine to anyone who
mails me privately asking for it.))
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B