Re: LYNX-DEV VU#5135 (Lynx vulnerability?) (fwd)

[Larry W. Virden, x2487]

>I know.  That's why I'm suggesting putting "exec" in front of the command
>string passed to system, as a less-hassle alternative: the shell does the
>parsing, but then gets replaced by the first command before it can cause
>any mischief.

This would, of course, cause problems in processing the DOWNLOADER and PRINTER
commands, where in the past recommendations have been made to users to do
things like

#DOWNLOADER:Use Zmodem to download to the local terminal:sz %s:TRUE
#    (example script in lieu of :sz %s: for offering a suggested filename)
#  :set %s %s;td=/tmp/Lsz$$;mkdir $td;ln -s $1 $td/"$2";sz $td/"$2";rm -r $td:

I suspect that a note (similar to the one in the PRINTER section warning
folk of the danger of doing this) should be added to this comment.
-- 
Larry W. Virden                 INET: address@hidden
<URL:http://www.teraform.com/%7Elvirden/> <*> O- "We are all Kosh."
Unless explicitly stated to the contrary, nothing in this posting should 
be construed as representing my employer's opinions.
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;