Xref: utzoo news.admin:4076 news.sysadmin:1686 comp.mail.uucp:2353
Path: utzoo!utgpu!watmath!clyde!mcdchg!nud!df
From: df@nud.UUCP (Dale Farnsworth)
Newsgroups: news.admin,news.sysadmin,comp.mail.uucp
Subject: Re: Dangerous hole in Usenet!
Message-ID: <1552@nud.UUCP>
Date: 26 Nov 88 20:58:11 GMT
References: <1227@vsi1.UUCP> <117@hudson.Morgan.COM> <800@mailrus.cc.umich.edu> <4833@bsu-cs.UUCP> <1961@van-bc.UUCP> <151@ecicrl.UUCP>
Reply-To: df@nud.UUCP (Dale Farnsworth)
Organization: Motorola Microcomputer Division, Tempe, Az.
Lines: 36

Chris Lewis (clewis@ecicrl.UUCP) writes:
> In article <1961@van-bc.UUCP> sl@van-bc.UUCP (pri=-10 Stuart Lynne) writes:
> 
> >Simpler yet is to use unshar. 
>
> Er, no.  Examine yours very carefully - I haven't seen any version of
> unshar yet (and I've seen quite a few go by) that does
> anything more than scan through the file before finding a point where
> it can start ramming stuff down /bin/sh.
> 
> Some security.

Here is a shell file I've been using to unpack the uucp maps.
As long as cat is the only command used in the map files, it ought to work.

#! /bin/sh
cd $MAPDIR
sed -e '1,/^echo/d' -e '/^SHAR_EOF/,$d' |
(
	read CAT IN TERMINATOR OUT FILENAME
	if [ "$CAT" != cat -o "$IN" != '<<' -o "$TERMINATOR" != \'SHAR_EOF\' -o "$OUT" != '>' ]
	then
		echo "$0: bad shar format."
		echo "First line after echo is:"
		echo "$CAT $IN $TERMINATOR $OUT $FILENAME"
		echo Map file ignored.
		exit
	else
		cat >./$FILENAME
	fi
)

-Dale

-- 
Dale Farnsworth		602-438-3092	noao!asuvax!nud!df