That "typical usage example" in the info page for dircolors:
eval `dircolors [OPTION]... [FILE]`
(see
http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/coreutils/coreutils/doc/coreutils.texi?rev=1.233
@example
eval `dircolors [EMAIL PROTECTED]@dots{} [EMAIL PROTECTED]
@end example)
is not correct and can be exploited in various ways if someone
has such line in his ~/.shellrc.
It should be:
eval "`dircolors [OPTION... [FILE]`"
Otherwise, it is subject to word splitting and filename
generation so that one can have any user run any arbitrary code
by simply creating files with the proper name.
For instance, if dircolors -b outputs:
LS_COLORS='no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=0
1;35:bd=40;33;01:cd=40;33;01:or=40;31;01:ex=01;32:*.tar=01;31:*
.tgz=01;31:';
export LS_COLORS
and one does:
touch "LS_COLORS='no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;\
35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:ex=01;32:Z.tar=\
01;31:'; rm -rf \$HOME; : '.tgz=01;31:';"
then
eval `dircolors -b`
deletes the home of everyone who is running it in the directory
containing that file.
I've been told some Linux distributions have this kind of line
in the system /etc/bash.bashrc
--
St�phane
_______________________________________________
Bug-coreutils mailing list
[EMAIL PROTECTED]
http://lists.gnu.org/mailman/listinfo/bug-coreutils
