Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: Bug in executable completion: unable to handle .. it $PATH
- X-seq: zsh-workers 26254
- From: Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
- To: "Zsh Workers" <zsh-workers@xxxxxxxxxx>, 162291@xxxxxxxxxxxxxxx
- Subject: Re: Bug in executable completion: unable to handle .. it $PATH
- Date: Wed, 07 Jan 2009 20:49:08 +0000
- In-reply-to: Message from Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx> of "Wed, 07 Jan 2009 12:18:19 PST." <090107121819.ZM27726@xxxxxxxxxxxxxxxxxxxxxx>
- Mailing-list: contact zsh-workers-help@xxxxxxxxxx; run by ezmlm
Bart Schaefer wrote:
> On Jan 7, 8:09pm, Peter Stephenson wrote:
> }
> } This is done explicitly in the code, but I have no idea why; it precedes
> } the CVS archive. The function isrelative() is only used by hashdir().
>
> I believe it's a security thing, so that an inherited $PATH can't fool
> someone into executing code from an unexpected place.
I don't think that can be it, since this feature is only in the command
hashing. If you type the command name in full it will still be
executed. So this has virtually no effect on non-interactive use.
Since the path is still absolute I don't see how this could effect
security, either, except maybe at second hand... if you sanitized the
early part of the path but didn't look for "..", so the component could
end up pointing out of that area, for example. But that doesn't seem to
me to be the shell's problem.
--
Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
Web page now at http://homepage.ntlworld.com/p.w.stephenson/
Messages sorted by:
Reverse Date,
Date,
Thread,
Author