Xref: utzoo news.admin:4070 news.sysadmin:1677 comp.mail.uucp:2346
Path: utzoo!attcan!uunet!ateng!chip
From: chip@ateng.ateng.com (Chip Salzenberg)
Newsgroups: news.admin,news.sysadmin,comp.mail.uucp
Subject: Re: Dangerous hole in Usenet!
Keywords: "it's a secret ... but they told me!" -- david dobkin
Message-ID: <1988Nov25.174519.13119@ateng.ateng.com>
Date: 25 Nov 88 22:45:19 GMT
References: <1227@vsi1.UUCP> <117@hudson.Morgan.COM> <800@mailrus.cc.umich.edu> <4833@bsu-cs.UUCP> <1961@van-bc.UUCP> <151@ecicrl.UUCP>
Organization: A T Engineering, Tampa, FL
Lines: 18

According to clewis@ecicrl.UUCP (Chris Lewis):
>In article <1961@van-bc.UUCP> sl@van-bc.UUCP (pri=-10 Stuart Lynne) writes:
>>[Unshar] is designed to split up shar packages safely.
>>And available in source so you can tune it to your system.
>
>Er, no.

Er, yes.  Rich Salz's "cshar" package includes a "safe" unshar program in C.

>You know, maybe we should try to invent a new "mailable" archive format
>that isn't compatible with /bin/sh so that people are *never* tempted into
>the trap of using sed..|sh or insecure unshars.

A good idea, and my next project.
-- 
Chip Salzenberg             <chip@ateng.com> or <uunet!ateng!chip>
A T Engineering             Me?  Speak for my company?  Surely you jest!
	   Beware of programmers carrying screwdrivers.