Newsgroups: comp.unix.shell
Path: utzoo!utgpu!watserv1!watcgl!idallen
From: idallen@watcgl.waterloo.edu (Ian! D. Allen [CGL])
Subject: Beware xargs security holes
Message-ID: <1990Oct9.060954.25690@watcgl.waterloo.edu>
Organization: Computer Graphics Laboratory, University of Waterloo, Ontario, Canada
References: <28790001@col.hp.com> <28790002@col.hp.com>
Date: Tue, 9 Oct 90 06:09:54 GMT
Lines: 30

So you like to use this:

    find . -type f -print | xargs rm -f

Interesting things happen here under some versions of xargs if you
have files with odd names that look like command lines, such as:

    echo hi >"foo ; rm -rf /"

Since some versions of xargs (or programs of similar function, such as
"apply") use a shell to execute the indicated command, the shell parses
the file name, splits on the ";", and executes the following part of the
file name as another command, with potentially exciting results:

    rm -f foo ; rm -rf /

Even versions that don't use a shell to run the command often split on
blanks, causing file names to match things you don't intend:

    touch foo bar
    echo hi >"foo bar"
    echo "foo bar" | xargs rm

The above example removes files "foo" and "bar" on Ultrix 3.1C.  File
"foo bar" (which might have been the result of a "find") is not touched.

So be VERY CAREFUL using xargs and friends!
-- 
-IAN! (Ian! D. Allen) idallen@watcgl.uwaterloo.ca idallen@watcgl.waterloo.edu
 [129.97.128.64]  Computer Graphics Lab/University of Waterloo/Ontario/Canada