* Inheriting IFS from environment
@ 2015-12-30 17:06 Martijn Dekker
2016-01-03 18:46 ` Gioele Barabucci
0 siblings, 1 reply; 2+ messages in thread
From: Martijn Dekker @ 2015-12-30 17:06 UTC (permalink / raw)
To: dash
Unlike bash, *ksh and zsh, dash allows inheriting IFS from the environment:
$ IFS=bla dash -c "x='hela hola'; echo \$x"
he ho
This seems a bit dodgy from a security point of view. For instance, most
scripts don't bother to quote their variables in test commands such as [
$var -eq 0 ], making it possible to influence the program flow by
manipulating IFS from the outside.
- M.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Inheriting IFS from environment
2015-12-30 17:06 Inheriting IFS from environment Martijn Dekker
@ 2016-01-03 18:46 ` Gioele Barabucci
0 siblings, 0 replies; 2+ messages in thread
From: Gioele Barabucci @ 2016-01-03 18:46 UTC (permalink / raw)
To: dash
On 30/12/2015 18:06, Martijn Dekker wrote:
> Unlike bash, *ksh and zsh, dash allows inheriting IFS from the environment:
>
> $ IFS=bla dash -c "x='hela hola'; echo \$x"
> he ho
>
> This seems a bit dodgy from a security point of view.
Hi,
The Debian BTS contains a similar report:
<https://bugs.debian.org/541642>. One suggestion from that thread:
> POSIX says (IEEE Std 1003.1, 2004 Edition; 2.5.3 Shell Variables):
>
>> Implementations may ignore the value of IFS in the environment at the
>> time the shell is invoked, treating IFS as if it were not set.
Regards,
--
Gioele Barabucci <gioele@svario.it>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-01-03 18:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-30 17:06 Inheriting IFS from environment Martijn Dekker
2016-01-03 18:46 ` Gioele Barabucci
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).