On Mon, Jan 29, 2018 at 2:51 AM, Bernd Petrovitsch <be...@petrovitsch.priv.at> wrote: > On Fri, 2018-01-26 at 15:15 +0100, Denys Vlasenko wrote: >> On Fri, Jan 26, 2018 at 9:34 AM, Paul Otto <p...@ottoops.com> wrote: > [...] >> > According to the BASH documentation, the source command should: >> > Read and execute commands from filename in the current shell >> > environment >> > and return the exit status of the last command executed from filename. If >> > filename does not contain a slash, filenames in PATH are used to find >> > the >> > directory containing filename. The file searched for in PATH need not >> > be >> > executable. When bash is not in posix mode, the current directory >> > is >> > searched if no file is found in PATH. >> >> I wish bash wouldn't introduce gratuitous standard violations. > > I see such begaviour more as a security problem - there are good > reasons not using "." automagically in $PATH (like DOS did .....). >
The problem with DOS/Windows is that they prioritize "." (working directory) over PATH when searching commands, which can cause security problems. Bash actually considers "." last, which is less of the security threat (unless you're setting a shell environment when user doesn't even have permission to adjust $PATH). For reference, here is the rationale in POSIX: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#dot "Some older implementations searched the current directory for the [file], even if the value of [PATH] disallowed it. This behavior was omitted from this volume of POSIX.1-2008 due to concerns about introducing the susceptibility to trojan horses that the user might be trying to avoid by leaving _dot_ out of [PATH]." _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox
