Garrick Staples wrote:
How many "homebrew" ISP or hosting administration scripts could be compromised
by simply putting a file in your home directory called ";rm -rf /" ?
It's not as bad as you think because of the order of operations.
In all cases, these perform exactly as a string should regardless of inner
characters.
He's probably thinking of a scripted operation that does a
find . -print |xargs some_command
(without print0) or a backtick or $(..) generated expansion. A lot of
the usefulness of the shell happens because you can generate and reparse
text programatically and have it become commands - and a side effect is
that metacharacters that appear in the text get processed even if they
aren't what you expected. I think it is kind of silly that common shell
metacharacters are permitted in filenames, but there's not much you
can do about it now.
--
Les Mikesell
lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
