[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IFS



>>>>> "Marc" == Marc Feeley <feeley@xxxxxxxxxxxxxxxx> writes:

Marc> This is slightly off topic but...

Marc> Could someone explain to me the need for the IFS line?  I read the
Marc> link to the Secure UNIX Programming FAQ, and am still puzzled.
Marc> In particular if an attacker has set IFS to "=" doesn't it mean
Marc> that the line

Marc>     IFS=" "

Marc> in the script will be interpreted as

Marc>     IFS " "

Marc> which doesn't solve the security hole.

I don't think so: IFS is used to split argument list expansions.

However, I've not been able to find a single current OS with a shell
that still allows exploiting this hole.  (In particular, 4.4BSD, ksh,
bash, and AIX's bsh are fixed.)  So it may be less confusing to just
remove mention of it.

Objections?

-- 
Cheers =8-} Mike
Friede, Völkerverständigung und überhaupt blabla