Xref: utzoo comp.unix.wizards:13498 news.admin:4312 news.sysadmin:1951 Path: utzoo!utgpu!attcan!uunet!lll-winken!lll-tis!ames!ncar!mailrus!purdue!decwrl!eda!jim From: jim@eda.com (Jim Budler) Newsgroups: comp.unix.wizards,news.admin,news.sysadmin Subject: Re: unshar business Message-ID: <397@eda.com> Date: 15 Dec 88 22:48:26 GMT References: <232@logicon.arpa> <7876@well.UUCP> <395@eda.com> <164@ecicrl.UUCP> Reply-To: jim@eda.com (Jim Budler) Organization: EDA Systems,Inc. Santa Clara, CA Lines: 78 In article <164@ecicrl.UUCP> clewis@ecicrl.UUCP (Chris Lewis) writes: | In article <395@eda.com> jim@eda.com (Jim Budler) writes: | >In article <7876@well.UUCP> Jef Poskanzer writes: | >| Well, I have looked at Cathy's program, all 93 lines of it, and unless | >| I'm reading it wrong she wasn't paying much attention either..... [...] | >I may modify the source to disallow any '/'. First, you totally ignored the statement above. | | How about placing the following into "../../../rnews"? | | for i in /bin/* | do | od $i | mail root | done | Second, though partially my fault since I failed to mention I run here program under chroot(2). So there is no od(1), and no mail(1), and now there is not even a sed(1) available. | I'd say that was a little more than limited to the news heirarchy. If you're | gonna do this right, you gotta be really paranoid. | | >| By the way, uns.c uses a fixed size buffer, only 256 characters long. | >| I have right here in my home directory a shar file with a 288 character | >| line. | | >It was I beieve, designed to unpack maps, not general shar files. | | Gee, it wouldn't be using gets would it? ;-> | | Come on guys - if this were war, you'd be trashed already. Half measures | are usually worse than none at all - being lulled by a false sense of | security. Like I said, above, I do not use uns without some protective wrapping around it, so I doubt it. Now, I'll get down to what I really feel about this whole subject: 1) Someone supplied some source code, presented as a possible solution to a problem. 2) It wasn't perfect 8^) But then neither is sendmail, ftpd, fingerd, and many other programs, including basically Unix(tm). 3) You supplied neither a better solution, nor helped to fix it in any positive way ( or did I miss your posting of the traditional Usenet source code assistance, a diff). Cathy's program, slightly modified, wrapped within an edit of Mr. Quartermain's uuhosts script and mapsh program, increased the security of unpacking the maps. What did your postings really contribute? And no I haven't finished my mods to the program, yet, so I know it isn't perfect yet, and given your response to less than perfection I may never post it, but instead sit here more secure, in the grand tradition of all those who sat back and said "I've known about that hole for years." Why post source, I'll just get flames from the perfect people out there. <----- *more sarcasm* | -- | Chris Lewis, Markham, Ontario, Canada Like I said lighten up. jim -- Jim Budler address = uucp: ...!{decwrl,uunet}!eda!jim OR domain: jim@eda.com #define disclaimer "I do not speak for my employer" #define truth "I speak for myself" #define result "variable"