oss-sec mailing list archives

Re: Shell wildcards considered dangerous?

From: Leonid Isaev <leonid.isaev () ifax com>
Date: Mon, 9 Dec 2019 15:18:08 +0000

On Mon, Dec 09, 2019 at 03:42:47PM +0100, Noel Kuntze wrote:

That is only a problem if the developer(s) foolishly didn't use "--" to
terminate the command line options or they did, but the argument parser of
the called program does not understand that "--" is a command line option
terminator.


I'm sorry, but this has nothing to do with developers of PROGRAM to use or not
user "--", but rather with the user not properly sanitizing the input to the
PROGRAM and not understanding how shell works. Specifically, doing
PROGRAM *.tar is just asking for trouble for many reasons, not mentioned in the
original email. See [1] (and in general BashPitfalls) for a proper discussion...

HTH,
L.

[1] https://mywiki.wooledge.org/BashPitfalls#for_f_in_.24.28ls_.2A.mp3.29

-- 
Leonid Isaev
Linux Support Engineer
iFAX Solutions, Inc.
www.ifax.com

+1.215.825.8700 ext 8126 (office)
+1.215.825.8767 (fax)

Current thread:

Shell wildcards considered dangerous? Georgi Guninski (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
  - Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
    - Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
    - Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
    - Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
    - Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Heiko Schlittermann (Dec 09)