[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


This page is part of the web mail archives of SRFI 22 from before July 7th, 2015. The new archives for SRFI 22 contain all messages, not just those from before July 7th, 2015.

>>>>> "Marc" == Marc Feeley <feeley@xxxxxxxxxxxxxxxx> writes:

Marc> This is slightly off topic but...

Marc> Could someone explain to me the need for the IFS line?  I read the
Marc> link to the Secure UNIX Programming FAQ, and am still puzzled.
Marc> In particular if an attacker has set IFS to "=" doesn't it mean
Marc> that the line

Marc>     IFS=" "

Marc> in the script will be interpreted as

Marc>     IFS " "

Marc> which doesn't solve the security hole.

I don't think so: IFS is used to split argument list expansions.

However, I've not been able to find a single current OS with a shell
that still allows exploiting this hole.  (In particular, 4.4BSD, ksh,
bash, and AIX's bsh are fixed.)  So it may be less confusing to just
remove mention of it.


Cheers =8-} Mike
Friede, Völkerverständigung und überhaupt blabla