Path: utzoo!attcan!uunet!zaphod.mps.ohio-state.edu!swrinde!cs.utexas.edu!sun-barr!decwrl!mcnc!gatech!udel!princeton!phoenix.Princeton.EDU!pfalstad
From: pfalstad@phoenix.Princeton.EDU (Paul John Falstad)
Newsgroups: comp.unix.shell
Subject: Re: Beware xargs security holes
Message-ID: <3500@idunno.Princeton.EDU>
Date: 22 Oct 90 04:59:24 GMT
References: <tim.656101080@ggumby> <3940@awdprime.UUCP> <2113@sixhub.UUCP>
Sender: news@idunno.Princeton.EDU
Organization: Princeton University, Princeton, New Jersey
Lines: 15

In article <2113@sixhub.UUCP> davidsen@sixhub.UUCP (bill davidsen) writes:
>  It *appears* that xenix quotes its arguments in xargs, since I did a
>small and cautious test and it worked all right. How about testing your

Even if the arguments are quoted, xargs still presents a security
problem if it calls system.  Just about any program that runs a shell is
unsecure.  If your system's xargs calls system, then someone could just create
a file with the quote character in it.  The only really safe way is to do an
execve.

--
Paul Falstad, pfalstad@phoenix.princeton.edu PLink:HYPNOS GEnie:P.FALSTAD
And Dinsdale said, "You've been a naughty boy, Clement," and splits me nostrils
open, and saws me leg off, and pulls me liver out.  And I said, "My name's not
Clement."  And then he loses his temper.  And he nails me head to the floor.