Vulnerability Development mailing list archives

Re: ls bug.

From: "Crist J. Clark" <crist.clark () attbi com>
Date: Sat, 16 Feb 2002 00:19:04 -0800

On Fri, Feb 15, 2002 at 04:04:34PM +0200, Ehud Tenenbaum wrote:

Hey again...

Well no point to flame someone for making a mistake
no big deal we are sorry for posting this ls bug which is not a bug.


Yes. There is a point. If you are not sure you have a security bug,
feel free to post questions about _potential_ issues on this list; it
is within the charter. Someone who asks, "Hey, is this a bug? Why does
this happen?" would get much nicer treatment than a "Security Team"
that makes an announcement about security bugs they have found when they
really just don't have a basic understanding of how shell expansions
work.

The signal-to-noise ration out there is already low enough. The
security community does not need people posting bogus alerts whenever
someone sees behavior they do not understand.

Petrus : 2 ways to delete -ls ? well here is one rm -rf /full/path/-ls
second one
        rm -rf ./-ls  :P


Or,

  rm -- -ls

This is handy for your "bug." You can do,

  ls -- *

And not worry about what flags '*' may expand to. 
-- 
Crist J. Clark                     |     cjclark () alum mit edu
                                   |     cjclark () jhu edu
http://people.freebsd.org/~cjc/    |     cjc () freebsd org

Current thread:

ls bug. Ehud Tenenbaum (Feb 15)
- Re: ls bug. Chris Faulhaber (Feb 15)
- Re: ls bug. Blue Boar (Feb 15)
- <Possible follow-ups>
- Re: ls bug. Ehud Tenenbaum (Feb 15)
  - Re: ls bug. Crist J. Clark (Feb 16)
- Re: ls bug. Wodahs Latigid (Feb 15)