Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: security risk in source builtin?

X-seq: zsh-users 6589
From: Dominik Vogt <dominik.vogt@xxxxxx>
To: Zsh Users <zsh-users@xxxxxxxxxx>
Subject: Re: security risk in source builtin?
Date: Wed, 17 Sep 2003 09:35:24 +0200
In-reply-to: <20030917065802.GA5374@xxxxxxxxxxxxxxxxx>
Mail-followup-to: Zsh Users <zsh-users@xxxxxxxxxx>
Mailing-list: contact zsh-users-help@xxxxxxxxxx; run by ezmlm
References: <20030916145820.GC4583@xxxxxx> <20030917065802.GA5374@xxxxxxxxxxxxxxxxx>
Reply-to: dominik.vogt@xxxxxx

On Wed, Sep 17, 2003 at 08:58:02AM +0200, Thomas Köhler wrote:
> Dominik Vogt wrote [2003/09/17]:
> > A colleague and I just noticed that the "source" builtin looks for
> > its argument in the $PATH.  I guess that's something POSIX
> > demands, but isn't it also a security risk?  In this case, the
> > following happened:
> > 
> >   $ ls -F
> >   test
> >   $ cat test
> >   echo hello world
> >   $ source test
> >   /usr/bin/test:3: bad pattern: ^@^F^@(...
> 
> Are you really sure you typed "source" here?

I may have confused the test cases for bash and zsh.  Thanks for
pointing that out.  However, that does not change my concern that
"source" (as well as ".") is a security risk.

> > Unless it is really important to have this behaviour for
> > compatibility reasons, shouldn't searching the $PATH be at least
> > disabled by default?
> 
> Quoting the manpage:
> 
>        source file [ arg ... ]
>               Same  as ., except that the current directory is always searched
>               and is always searched first, before directo- ries in $path.
> 
> Testing myself:
>     /tmp> cat test
>     echo hello world
>     /tmp> ls -l test
>     -rw-r--r--    1 jean-luc jean-luc       17 2003-09-17 08:49 test
>     /tmp> . test
>     /usr/bin/test:12: parse error near `)'
>     /tmp> source test
>     hello world
> 
> Seems you have typed ". test" :-)
> 
>        . file [ arg ... ]
>               Read commands from file and execute them in the
>               current shell environment.
> 
>               If file does not contain a slash, or if PATH_DIRS
>               is set, the shell looks in the components of $path
>               to  find the  directory  containing  file.  Files
>               in the current directory are not read unless `.'
>               appears somewhere in $path.  If a file named
>               `file.zwc' is found, is newer than file, and is the
>               compiled form  (created  with  the zcompile
>               builtin) of file, then commands are read from that
>               file instead of file.
> 
>               If  any  arguments  arg  are  given,  they become
>               the positional parameters; the old positional
>               parameters are restored when the file is done
>               executing.  The exit status is the exit status of
>               the last command executed.

Ciao

Dominik ^_^  ^_^

Follow-Ups:
- Re: security risk in source builtin?
  - From: Phil Pennock

References:
- security risk in source builtin?
  - From: Dominik Vogt
- Re: security risk in source builtin?
  - From: Thomas Köhler

Messages sorted by: Reverse Date, Date, Thread, Author