...
> Yeah, the thing rather is that GNU getopt parses the command line
> and performs reorders. I never really looked, but since the
> (entire family of the) mailer i maintain earned a security
> advisory for possible option injection attacks i always wondered
> how secure that can be...
Yes, that is entirely broken and should never have been committed.
I have to remember to add the 'magic character' to disable it.
Historically a few programs use nonstandard argument ordering.
Most notably 'rlogin hostname -l username' but that really
doesn't justify how gnu getopt() works.
Programs like tail, seq and sort are old and have argument
parsing that (probably) predates the standard.
(Although 'sort +4' seems to have been disabled even though
it worked fine for over 30 years.)
I wonder if there is an easy way to 'escape' from busybox
getopt's 'unknown option' error path without printing a
message (and them being able to print the message) so that
programs like seq can decide that -12 isn't actually invalid.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT,
UK
Registration No: 1397386 (Wales)
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
