On Tue, 7 Oct 2003, Chip Salzenberg wrote: > According to Booker Bense: > > if it can be interpreted by the shell it should not be in a filename > > that you download over the internet. The BADCHARS list was created > > from experience with the kind of exploits common when trn was under > > active development [...] > > But modern shells didn't exist then. Shall I enumerate the > punctuation marks that are *not* metacharacters to zsh and/or bash? > It's a short list. Conversely, modern shells have tab-completion that > automatically uses quotes and backslashes to turn any filename safe. > The only untenable situation seems to be the status quo. > > Failing a consensus (which seems distant), perhaps BADCHARS could be > made a configuration item? One more of those couldn't hurt. - I don't much care as I never download files via trn, I don't buy the argument about "modern shells". Shells and the rules for quoting metachars are the same then as now. The only difference is that the shell does more of it for you by default now. Also, the shell that's running the system call on most unix boxes is likely a stripped down /bin/sh which is not going to do the fancy quoting for you. If you can absolutely guarantee that these files will never be blindly put into a system call, then maybe what you suggest is okay. It's seems like it'd be fairly trivial to come up with an exploit using externel viewers and MIME. - I've been looking for an excuse to finally sit down and remap my newsreading finger set to GNUS, maybe this is it. _ Booker C. Bense ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php
