Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!elroy.jpl.nasa.gov!jpl-devvax!lwall
From: lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall)
Newsgroups: comp.lang.perl
Subject: Re: Possibly strange "Insecure PATH"
Message-ID: <11390@jpl-devvax.JPL.NASA.GOV>
Date: 11 Feb 91 20:44:38 GMT
References: <1991Feb11.003937.25848@yarra-glen.aaii.oz.au>
Reply-To: lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall)
Organization: Jet Propulsion Laboratory, Pasadena, CA
Lines: 22

In article <1991Feb11.003937.25848@yarra-glen.aaii.oz.au> pem@yarra-glen.aaii.oz.au (Paul E. Maisano) writes:
: I've had a perl program running inside a set-gid wrapper for a while
: with no problem. I recently started getting an "Insecure PATH" message,
: followed by a core dump. After the latest patch, maybe??
: 
: Anyway, the offending line was:
: 
: chop($ARCH = `/bin/arch`) unless defined($ARCH);
: 
: I had to explicitly set the PATH first, to avoid the problem.
: 
: Why should that line tell me that PATH is insecure ? After all, I used
: an explicit path to access the executable inside the backticks.

Several reasons.

	1) It would have to distinguish `/bin/arch` from `/bin/arch; foo`.
	2) I'm lazy.
	3) There's no guarantee that /bin/arch doesn't exec foo using PATH.
	4) You should set the PATH anyway.  Don't be so lazy.  :-)

Larry