Path: utzoo!attcan!uunet!aplcen!haven!umbc3!math9.math.umbc.edu!rouben
From: rouben@math9.math.umbc.edu (Rouben Rostamian)
Newsgroups: comp.unix.shell
Subject: Re: Beware xargs security holes
Message-ID: <4203@umbc3.UMBC.EDU>
Date: 21 Oct 90 03:55:00 GMT
References: <63404@iuvax.cs.indiana.edu> <1990Oct9.172621.13484@cbnews.att.com> <271653D6.1CE8@tct.uucp> <4062:Oct1518:22:1290@kramden.acf.nyu.edu> <3876@awdprime.UUCP> <tim.656101080@ggumby> <3940@awdprime.UUCP> <2113@sixhub.UUCP>
Sender: newspost@umbc3.UMBC.EDU
Reply-To: rouben@math9.math.umbc.edu.UUCP (Rouben Rostamian)
Organization: Mathematics Department University of Maryland, Baltimore County
Lines: 25

In article <2113@sixhub.UUCP> davidsen@sixhub.UUCP (bill davidsen) writes:
>  It *appears* that xenix quotes its arguments in xargs, since I did a
>small and cautious test and it worked all right. How about testing your
>version of xargs and posting the results here? I will do Sun, Ultrix and
>(if I get the files reloaded) V.4.

Why "small and cautious"?  To test whether xargs quotes its arguments, 
in an empty directory do:

touch "This is a test"
find . -print | xargs rm

If the file "This is a test" goes away, then xargs is quoting its arguments.
Otherwise, xargs is feeding the file name as four separate arguments to rm 
and you will get complains from rm for not finding the files.

I ran this test on Ultrix V4.0 and on a Stardent 3000 (a hybrid SysV/bsd 
beast.)  In neither test the file was removed.  So no quoting from xargs
in these cases.

--
Rouben Rostamian                            Telephone: (301) 455-2458
Department of Mathematics and Statistics    e-mail:
University of Maryland Baltimore County     bitnet: rostamian@umbc
Baltimore, MD 21228,  U.S.A.                internet: rostamian@umbc3.umbc.edu