This page is part of the web mail archives of SRFI 22 from before July 7th, 2015. The new archives for SRFI 22 contain all messages, not just those from before July 7th, 2015.
>>>>> "Marc" == Marc Feeley <feeley@xxxxxxxxxxxxxxxx> writes: Marc> This is slightly off topic but... Marc> Could someone explain to me the need for the IFS line? I read the Marc> link to the Secure UNIX Programming FAQ, and am still puzzled. Marc> In particular if an attacker has set IFS to "=" doesn't it mean Marc> that the line Marc> IFS=" " Marc> in the script will be interpreted as Marc> IFS " " Marc> which doesn't solve the security hole. I don't think so: IFS is used to split argument list expansions. However, I've not been able to find a single current OS with a shell that still allows exploiting this hole. (In particular, 4.4BSD, ksh, bash, and AIX's bsh are fixed.) So it may be less confusing to just remove mention of it. Objections? -- Cheers =8-} Mike Friede, Völkerverständigung und überhaupt blabla