Re: "command -p" does not correctly limit search to a safe PATH

Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> · Fri, 26 Sep 2014 17:19:42 +0800

On Fri, Jul 19, 2013 at 09:49:31PM +0000, Harald van Dijk wrote:
>
> So, how about this, to be applied on top of my previous patch? It
> defaults to using confstr() if available and reporting a hard error at
> run time if that fails, but it can be configured to not use confstr(),
> and/or fall back to a path specified at configuration time:

Thanks for the patch.  But until someone who needs this complexity
steps up, I'm going to stick with the simpler version below:

commit 842050da1c14d7dbe365cd750032fcd8eaaa1db2
Author: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date:   Fri Sep 26 17:18:35 2014 +0800

    [BUILTIN] Set command -p path to /usr/sbin:/usr/bin:/sbin:/bin
    
    Exclude /usr/local from command -p PATH.
    
    Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>

diff --git a/ChangeLog b/ChangeLog
index eb3bbc3..ba67b6e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 2014-09-26  Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
 
 	* Small optimisation of command -pv change.
+	* Set command -p path to /usr/sbin:/usr/bin:/sbin:/bin.
 
 2014-09-26  Harald van Dijk <harald@xxxxxxxxxxx>
 
diff --git a/src/var.h b/src/var.h
index 79ee71a..872e2db 100644
--- a/src/var.h
+++ b/src/var.h
@@ -107,7 +107,7 @@ extern const char defifsvar[];
 extern const char defifs[];
 #endif
 extern const char defpathvar[];
-#define defpath (defpathvar + 5)
+#define defpath (defpathvar + 36)
 
 extern int lineno;
 extern char linenovar[];

Cheers,
-- 
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe dash" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html







