On Wed, Jun 04, 2008 at 11:15:32PM +0200, Roland Mainz wrote: > Nicolas Williams wrote: > > On Wed, Jun 04, 2008 at 10:30:57PM +0200, Roland Mainz wrote: > > > David Bustos wrote: > > > > set -- `svcprop ...` > > > > # use positional parameters > > > > > > > Note that the example above relies in the use of IFS _and_ may be > > > vulnerable to attributary (shell) code execution. Technically the use of > > > > The idea is for svcprop to quote things so this is not vulnerable > > provided you're using the standard IFS. > > IFS is technically the root of all the problems around "read" and "set". > To get a fully secure script you have to set IFS='' and turn of globbing > - on the other side you prevent yourself from parsing such values when > you set IFS=''. IMO we need a better solution (see my other email for a > proposal) ...
Globbing is not an issue since svcprop will quote things.
