Date: Mon, 9 Dec 2019 15:18:08 +0000 From: Leonid Isaev <leonid.isaev@...x.com> To: oss-security@...ts.openwall.com Subject: Re: Shell wildcards considered dangerous? On Mon, Dec 09, 2019 at 03:42:47PM +0100, Noel Kuntze wrote: > That is only a problem if the developer(s) foolishly didn't use "--" to > terminate the command line options or they did, but the argument parser of > the called program does not understand that "--" is a command line option > terminator. I'm sorry, but this has nothing to do with developers of PROGRAM to use or not user "--", but rather with the user not properly sanitizing the input to the PROGRAM and not understanding how shell works. Specifically, doing PROGRAM *.tar is just asking for trouble for many reasons, not mentioned in the original email. See  (and in general BashPitfalls) for a proper discussion... HTH, L.  https://mywiki.wooledge.org/BashPitfalls#for_f_in_.24.28ls_.2A.mp3.29 -- Leonid Isaev Linux Support Engineer iFAX Solutions, Inc. www.ifax.com +1.215.825.8700 ext 8126 (office) +1.215.825.8767 (fax)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.