Nicolas Williams wrote: > On Wed, Jun 04, 2008 at 10:30:57PM +0200, Roland Mainz wrote: > > David Bustos wrote: > > > set -- `svcprop ...` > > > # use positional parameters > > > > > Note that the example above relies in the use of IFS _and_ may be > > vulnerable to attributary (shell) code execution. Technically the use of > > The idea is for svcprop to quote things so this is not vulnerable > provided you're using the standard IFS.
IFS is technically the root of all the problems around "read" and "set". To get a fully secure script you have to set IFS='' and turn of globbing - on the other side you prevent yourself from parsing such values when you set IFS=''. IMO we need a better solution (see my other email for a proposal) ... ---- Bye, Roland -- __ . . __ (o.\ \/ /.o) roland.mainz at nrubsig.org \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer /O /==\ O\ TEL +49 641 7950090 (;O/ \/ \O;)
