Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: 8-bit patch for zle_tricky.c



>Of course. But the point I was trying to make is that not only setuid
>scripts, but also setuid C programs calling system (and thus unintentionally
>invoking sh) can represent security problems. Which is why IFS is used the
>way it is in bash/ksh.

As I said, it *is* possible for a privileged script to be secure.  IMO
it's up to the person writing such scripts to use the methods
available.  We shouldn't disable a feature just to make this easier.  I
think field splitting should be off by default in zsh, but
SH_WORD_SPLIT or some other option should turn it on.  (Maybe
SH_WORD_SPLIT should do field splitting on words, and SH_FIELD_SPLIT
should do the current filed splitting on parameters.)

In any case, this is not a critical issue, and can wait until after 3.0.

-zefram




Messages sorted by: Reverse Date, Date, Thread, Author