Path: utzoo!attcan!uunet!cs.utexas.edu!sun-barr!olivea!orc!inews!iwarp.intel.com!gargoyle!chinet!les
From: les@chinet.chi.il.us (Leslie Mikesell)
Newsgroups: comp.unix.shell
Subject: Re: Beware xargs security holes
Message-ID: <1990Oct21.223729.10521@chinet.chi.il.us>
Date: 21 Oct 90 22:37:29 GMT
References: <2113@sixhub.UUCP> <4203@umbc3.UMBC.EDU> <3484@idunno.Princeton.EDU>
Organization: Chinet - Public Access UNIX
Lines: 15

In article <3484@idunno.Princeton.EDU> pfalstad@fish.Princeton.EDU (Paul John Falstad) writes:

>Though as Dan said earlier, even if xargs quotes its arguments, you can
>still get in trouble, since find and xargs use a newline as a delimiter for
>filenames, and filenames can have newlines in them.

Actually the problem of allowing characters that are valid in filenames
to have special meanings on the command line runs rampant throughout
unix.  Even if you eliminate part of the problem by using a '\0' delimiter
to syncronize find and xargs, you can still get into trouble with a
file named "-r" appearing at the front of an argument list that might
also mention directories.

Les Mikesell
  les@chinet.chi.il.us