Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: security risk in source builtin?

X-seq: zsh-users 6592
From: James Devenish <j-devenish@xxxxxxxxxxxxxxxxxxxxx>
To: Zsh Users <zsh-users@xxxxxxxxxx>
Subject: Re: security risk in source builtin?
Date: Wed, 17 Sep 2003 19:48:53 +0800
In-reply-to: <20030917110731.GA535@xxxxxx>
Mail-followup-to: Zsh Users <zsh-users@xxxxxxxxxx>
Mailing-list: contact zsh-users-help@xxxxxxxxxx; run by ezmlm
References: <20030916145820.GC4583@xxxxxx> <20030917102420.GA2522@xxxxxxxxxxxxxxxxxxxxx> <20030917110731.GA535@xxxxxx>

In message <20030917110731.GA535@xxxxxx>
on Wed, Sep 17, 2003 at 01:07:31PM +0200, Dominik Vogt wrote:
> > >   $ source test
> > >   /usr/bin/test:3: bad pattern: ^@^F^@(...
[...]
> To the casual user, it is not obvious why the $PATH should be
> searched.  After all, scripts read with "source" or "." should
> usually not be executable, so they do not belong into any
> directory in the $PATH.
[...]
> At the very least, I
> think "source" and "." should not attempt to read files in the
> $PATH that are not executable.  Of course this is only my mersonal

As you mentioned, the . command is provided by the POSIX shell. I would
expect that changing its behaviour would cause existing scripts to fail,
as well as affecting portability. I think that it is bad to be scripting
with ". test" if you desire the semantics of ". ./test" (in the case
that you use "./test", $path will not be searched). You are right that
it is a "trap" to fall into, but there is a definite difference between
". test" and ". ./test" and it is probably more important that authors
code carefully (as always applies to coding).

Follow-Ups:
- Re: security risk in source builtin?
  - From: Dominik Vogt

References:
- security risk in source builtin?
  - From: Dominik Vogt
- Re: security risk in source builtin?
  - From: Dominik Vogt

Messages sorted by: Reverse Date, Date, Thread, Author