[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #18554] feat req: -exec cmd {} more args +

From: James Youngman
Subject: [bug #18554] feat req: -exec cmd {} more args +
Date: Fri, 22 Dec 2006 12:37:15 +0000
User-agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/20061115 Ubuntu/dapper-security Firefox/

Follow-up Comment #7, bug #18554 (project findutils):

Thanks for the (pretty much) official interpretation Geoff.

The findutils documentation would not include an example showing how to
accomplish this with "sh -c" though, because of the disastrous security
implications of passing untrusted data such as filenames to the shell.   

In fact I'd recommend that the POSIX revision you're talking about explicitly
point out that this (along with almost any other use of "find ... -exec sh -c
...") is bad security practice.

(I know privileged operations are out of scope for POSIX, but I'd guess that
a form of words can be found that preserves the useful guidance)


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]