[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)

From: Larry W. Virden, x2487
Subject: Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)
Date: Wed, 25 Jun 1997 08:20:38 -0400

>I know.  That's why I'm suggesting putting "exec" in front of the command
>string passed to system, as a less-hassle alternative: the shell does the
>parsing, but then gets replaced by the first command before it can cause
>any mischief.

This would, of course, cause problems in processing the DOWNLOADER and PRINTER
commands, where in the past recommendations have been made to users to do
things like

#DOWNLOADER:Use Zmodem to download to the local terminal:sz %s:TRUE
#    (example script in lieu of :sz %s: for offering a suggested filename)
#  :set %s %s;td=/tmp/Lsz$$;mkdir $td;ln -s $1 $td/"$2";sz $td/"$2";rm -r $td:

I suspect that a note (similar to the one in the PRINTER section warning
folk of the danger of doing this) should be added to this comment.
Larry W. Virden                 INET: address@hidden
<URL:> <*> O- "We are all Kosh."
Unless explicitly stated to the contrary, nothing in this posting should 
be construed as representing my employer's opinions.
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]