Xref: utzoo news.admin:4056 news.sysadmin:1653 comp.mail.uucp:2322
Path: utzoo!attcan!lsuc!ecicrl!clewis
From: clewis@ecicrl.UUCP (Chris Lewis)
Newsgroups: news.admin,news.sysadmin,comp.mail.uucp
Subject: Re: Dangerous hole in Usenet!
Keywords: "it's a secret ... but they told me!" -- david dobkin
Message-ID: <151@ecicrl.UUCP>
Date: 24 Nov 88 01:00:02 GMT
References: <1227@vsi1.UUCP> <117@hudson.Morgan.COM> <800@mailrus.cc.umich.edu> <4833@bsu-cs.UUCP> <1961@van-bc.UUCP>
Reply-To: clewis@ecicrl.UUCP (Chris Lewis)
Organization: Elegant Communications Inc. (CRL Division)
Lines: 29

In article <1961@van-bc.UUCP> sl@van-bc.UUCP (pri=-10 Stuart Lynne) writes:
>>In article <800@mailrus.cc.umich.edu> honey@citi.umich.edu (peter honeyman)
>>writes:
>>>the major hole has to do with handing certain news articles to
>>>sed|sh.

>Simpler yet is to use unshar. 
>
>It's designed to split up shar packages safely. And available in source so
>you can tune it to your system.

Er, no.  Examine yours very carefully - I haven't seen any version of
unshar yet (and I've seen quite a few go by) that does
anything more than scan through the file before finding a point where
it can start ramming stuff down /bin/sh.  Eg: the version written in
perl recently posted in comp.sources.misc doesn't do *any* security 
checking - it simply looks for a "#!" or "cut here" and pipes the rest 
thru sh.

Some security.

You know, maybe we should try to invent a new "mailable" archive format
that isn't compatible with /bin/sh so that people are *never* tempted into
the trap of using sed..|sh or insecure unshars.
-- 
Chris Lewis, Markham, Ontario, Canada
{uunet!attcan,utgpu,yunexus,utzoo}!lsuc!ecicrl!clewis
Ferret Mailing list: ...!lsuc!gate!eci386!ferret-request
(or lsuc!gate!eci386!clewis or lsuc!clewis)