From: Jilles Tjoelker <jilles@stack.nl>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Harald van Dijk <harald@gigawatt.nl>,
Craig Loomis <cploomis@gmail.com>, dash <dash@vger.kernel.org>
Subject: Re: "command -p" does not correctly limit search to a safe PATH
Date: Sat, 27 Sep 2014 23:57:06 +0200 [thread overview]
Message-ID: <20140927215706.GA25474@stack.nl> (raw)
In-Reply-To: <20140926091942.GB14940@gondor.apana.org.au>
On Fri, Sep 26, 2014 at 05:19:42PM +0800, Herbert Xu wrote:
> On Fri, Jul 19, 2013 at 09:49:31PM +0000, Harald van Dijk wrote:
> >
> > So, how about this, to be applied on top of my previous patch? It
> > defaults to using confstr() if available and reporting a hard error at
> > run time if that fails, but it can be configured to not use confstr(),
> > and/or fall back to a path specified at configuration time:
> Thanks for the patch. But until someone who needs this complexity
> steps up, I'm going to stick with the simpler version below:
> [snip]
> diff --git a/src/var.h b/src/var.h
> index 79ee71a..872e2db 100644
> --- a/src/var.h
> +++ b/src/var.h
> @@ -107,7 +107,7 @@ extern const char defifsvar[];
> extern const char defifs[];
> #endif
> extern const char defpathvar[];
> -#define defpath (defpathvar + 5)
> +#define defpath (defpathvar + 36)
>
> extern int lineno;
> extern char linenovar[];
This needs a comment at the definition of defpathvar in var.c;
otherwise, someone changing the default path will subtly break command
-p without knowing. The number 36 is rather magic too, but it can be
found back through git history.
Alternatively, you could rely on the linker combining common string
constant endings: put in some #define for
"/usr/sbin:/usr/bin:/sbin:/bin" and make defpathvar a #define instead of
a const array.
--
Jilles Tjoelker
next prev parent reply other threads:[~2014-09-27 22:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-10 18:18 "command -p" does not correctly limit search to a safe PATH Craig Loomis
2013-07-14 19:54 ` Harald van Dijk
2013-07-19 21:49 ` Harald van Dijk
2014-09-26 9:19 ` Herbert Xu
2014-09-27 21:57 ` Jilles Tjoelker [this message]
2014-09-26 8:44 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140927215706.GA25474@stack.nl \
--to=jilles@stack.nl \
--cc=cploomis@gmail.com \
--cc=dash@vger.kernel.org \
--cc=harald@gigawatt.nl \
--cc=herbert@gondor.apana.org.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.