Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!zaphod.mps.ohio-state.edu!rpi!crdgw1!sixhub!davidsen
From: davidsen@sixhub.UUCP (Wm E. Davidsen Jr)
Newsgroups: comp.unix.shell
Subject: Re: Beware xargs security holes
Message-ID: <2123@sixhub.UUCP>
Date: 23 Oct 90 00:41:17 GMT
References: <63404@iuvax.cs.indiana.edu> <1990Oct9.172621.13484@cbnews.att.com> <271653D6.1CE8@tct.uucp> <4062:Oct1518:22:1290@kramden.acf.nyu.edu> <3876@awdprime.UUCP> <tim.656101080@ggumby> <3940@awdprime.UUCP> <2113@sixhub.UUCP> <4203@umbc3.UMBC.EDU>
Reply-To: davidsen@sixhub.UUCP (bill davidsen)
Organization: *IX Public Access UNIX, Schenectady NY
Lines: 23

In article <4203@umbc3.UMBC.EDU> rouben@math9.math.umbc.edu.UUCP (Rouben Rostamian) writes:

| Why "small and cautious"?  To test whether xargs quotes its arguments, 
| in an empty directory do:
| 
| touch "This is a test"
| find . -print | xargs rm

  That's what I mean by small and cautions. 

  Actually I tried creating a file called "abc;date" to see if the date
command would be executed, and abc#x to see if the comment character
was okay. These worked, but embedded blanks caused problems. Obviously
either (a) a shell is not being called to process this, or (b) the
shell is run with IFS redefined.

  Verdict: xenix xargs is better than some, not perfect.

-- 
bill davidsen - davidsen@sixhub.uucp (uunet!crdgw1!sixhub!davidsen)
    sysop *IX BBS and Public Access UNIX
    moderator of comp.binaries.ibm.pc and 80386 mailing list
"Stupidity, like virtue, is its own reward" -me