Follow-up Comment #8, bug #18576 (project findutils):
True, any command that invokes another app (nice, su, nohup, ...) can perform
PATH searches. But is this really find's problem? It is not sensible to
teach find about every program that invokes one of its arguments as another
program. Maybe a compromise is in order: if PATH contains relative elements,
find should always issue a warning, regardless of whether command or its
arguments have a /, on the grounds that the invoked command may also cause an
insecure PATH search. Additionally, if command does not contain /, and a PATH
search encounters a relative path before finding command, then find should
outright fail. In other words, only fail when find can _prove_ that a
relative path search will occur, but warn the user of the security potential
without worrying about deciphering the semantics of how command will further
parse its arguments.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?18576>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
_______________________________________________
Bug-findutils mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/bug-findutils
