On 10/08/16 08:40, Jilles Tjoelker wrote:
Author: jilles Date: Sat Oct 8 13:40:12 2016 New Revision: 306843 URL: https://svnweb.freebsd.org/changeset/base/306843 Log: sh: Do not import IFS's value from the environment. Per Austin group issue #884, always set IFS to $' \t\n'. As before, IFS will be exported iff it was in the environment. Most shells (e.g. bash, ksh93 and mksh) already did this. This change improves predictability, in that scripts can simply rely on the default value. However, the effect on security is little, since applications should not be calling the shell with attacker-controlled environment variable names in the first place and other security-sensitive variables such as PATH should be and are imported by the shell. When using a new sh with an old (before 10.2) libc wordexp(), IFS is no longer passed on. Otherwise, wordexp() continues to pass along IFS from the environment per its documentation. Discussed with: pfg Relnotes: yes
For the record, the idea was suggested originally by Joerg Schilling. Thanks! Pedro. _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "[email protected]"
