[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #18576] -execdir vs. PATH
From: |
Eric Blake |
Subject: |
[bug #18576] -execdir vs. PATH |
Date: |
Fri, 22 Dec 2006 13:39:04 +0000 |
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9 Mnenhy/0.7.4.666 |
URL:
<http://savannah.gnu.org/bugs/?18576>
Summary: -execdir vs. PATH
Project: findutils
Submitted by: ericb
Submitted on: Friday 12/22/2006 at 06:39
Category: find
Severity: 3 - Normal
Item Group: Wrong result
Status: None
Privacy: Public
Assigned to: None
Originator Name: Eric Blake
Originator Email: address@hidden
Open/Closed: Open
Discussion Lock: Any
Release: 4.3.2
Fixed Release: None
_______________________________________________________
Details:
-execdir has some annoying behavior:
$ PATH=:$PATH find -execdir /bin/echo {} +
find: The current directory is included in the PATH environment variable,
which is insecure in combination with the -execdir action of find. Please
remove the current directory from your $PATH (that is, remove "." or leading
or trailing colons)
Here, I don't think the security warning should occur. Because my command
(/bin/echo) is absolute, it should not matter what PATH contains, because
PATH is not consulted in anything invoked by find.
On the other hand, -execdir should warn on this, but currently doesn't:
$ mkdir a
$ cat > a/echo << EOF
#!/bin/sh
echo wrong echo
EOF
$ chmod +x a/echo
$ PATH=./.:$PATH find -execdir echo {} +
wrong echo
The key here is that it is not just the presence of '.' in PATH, but the
presence of ANY element in PATH that does not start with /, where a path
lookup can result in executing a different executable depending on the
current directory at the time of the path lookup.
Which means I also think that find should not warn on this case, again
because the presence of / in the command means that PATH is not consulted,
and I really DID intend to execute my echo, because I just validated with
-name that it exists:
$ mkdir a
$ cat > a/echo << EOF
#!/bin/sh
echo my echo
EOF
$ chmod +x a/echo
$ find -name -execdir ./echo {} +
my echo
$ PATH=:$PATH find -name -execdir ./echo {} +
find: The current directory is included in the PATH environment variable,
which is insecure in combination with the -execdir action of find. Please
remove the current directory from your $PATH (that is, remove "." or leading
or trailing colons)
In short, I think the rule should be:
If the first argument after -execdir contains no /, and if any component of
PATH does not start with /, warn.
Otherwise, no PATH lookup will occur, so proceed, even if PATH contains a
relative component or if command is relative.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?18576>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [bug #18576] -execdir vs. PATH,
Eric Blake <=
- [bug #18576] -execdir vs. PATH, James Youngman, 2006/12/22
- [bug #18576] -execdir vs. PATH, Eric Blake, 2006/12/22
- [bug #18576] -execdir vs. PATH, James Youngman, 2006/12/22
- [bug #18576] -execdir vs. PATH, Egmont Koblinger, 2006/12/26
- [bug #18576] -execdir vs. PATH, Eric Blake, 2006/12/26
- [bug #18576] -execdir vs. PATH, James Youngman, 2006/12/29
- [bug #18576] -execdir vs. PATH, James Youngman, 2006/12/29
- [bug #18576] -execdir vs. PATH, Eric Blake, 2006/12/29