Path: utzoo!utgpu!watserv1!watmath!att!rutgers!cs.utexas.edu!uunet!virtech!cpcahil
From: cpcahil@virtech.uucp (Conor P. Cahill)
Newsgroups: comp.unix.shell
Subject: Re: Beware xargs security holes
Message-ID: <1990Oct24.010007.817@virtech.uucp>
Date: 24 Oct 90 01:00:07 GMT
References: <63404@iuvax.cs.indiana.edu> <1990Oct9.172621.13484@cbnews.att.com> <271653D6.1CE8@tct.uucp> <4062:Oct1518:22:1290@kramden.acf.nyu.edu> <3876@awdprime.UUCP> <tim.656101080@ggumby> <3940@awdprime.UUCP> <1890@necisa.ho.necisa.oz>
Reply-To: cpcahil@virtech.UUCP (Conor P. Cahill)
Organization: Virtual Technologies Inc., Sterling VA
Lines: 12

In article <1890@necisa.ho.necisa.oz> boyd@necisa.ho.necisa.oz (Boyd Roberts) writes:
>Nor can I.  Since when did xargs(1) use system(3)?

It dosn't matter what xargs uses to run the command.  The problem is how
it parses it's input.  If the input is newline separated and a user can
add newlines to a filename, then the user can create a file that will
cause xargs to incorrectly parse it's input.

-- 
Conor P. Cahill            (703)430-9247        Virtual Technologies, Inc.,
uunet!virtech!cpcahil                           46030 Manekin Plaza, Suite 160
                                                Sterling, VA 22170