oss-sec mailing list archives
Re: Shell wildcards considered dangerous?
From: Leonid Isaev <leonid.isaev () ifax com>
Date: Mon, 9 Dec 2019 15:18:08 +0000
On Mon, Dec 09, 2019 at 03:42:47PM +0100, Noel Kuntze wrote:
That is only a problem if the developer(s) foolishly didn't use "--" to terminate the command line options or they did, but the argument parser of the called program does not understand that "--" is a command line option terminator.
I'm sorry, but this has nothing to do with developers of PROGRAM to use or not user "--", but rather with the user not properly sanitizing the input to the PROGRAM and not understanding how shell works. Specifically, doing PROGRAM *.tar is just asking for trouble for many reasons, not mentioned in the original email. See [1] (and in general BashPitfalls) for a proper discussion... HTH, L. [1] https://mywiki.wooledge.org/BashPitfalls#for_f_in_.24.28ls_.2A.mp3.29 -- Leonid Isaev Linux Support Engineer iFAX Solutions, Inc. www.ifax.com +1.215.825.8700 ext 8126 (office) +1.215.825.8767 (fax)
Current thread:
- Shell wildcards considered dangerous? Georgi Guninski (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)