Bugtraq mailing list archives
Re: MC shell scripts
From: miguel () NUCLECU UNAM MX (Miguel de Icaza)
Date: Mon, 19 Jan 1998 16:45:51 -0600
I discovered a problem with Midnight Commander's method of decompressing archives, which allows execution of hidden commands. Evil file may be prepared this way: $ gzip foo $ mv foo.gz "quake2-test-unknown-linux-'\`rm -f *\`'-elf-i386-generic-beta.gz" Now, this filename, when displayed by user-friendly programs (www or ftp browsers, file managers), will be cropped to fit in a window :) Under my mc (vidmode 11) it's displayed as:
This problem has been fixed in the recent editions of the GNU Midnight Commander by Norbert Warmuth. Recent version of the GNU Midnight Commander do not have this problem. To get a recent version of the program, check: ftp://ftp.nuclecu.unam.mx/linux/local For the latest stable release of the program. Best wishes, Miguel.
Current thread:
- Re: MC shell scripts Miguel de Icaza (Jan 19)