[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
a2ps using "file -L %s" as shell argument? Huh?
|
From: |
Rudolf Polzer |
|
Subject: |
a2ps using "file -L %s" as shell argument? Huh? |
|
Date: |
Wed, 18 Aug 2004 13:37:37 +0200 |
|
User-agent: |
Mutt/1.5.6i |
address@hidden /tmp $ ls -la You*
-rw-r--r-- 1 polzer ommz 6 Aug 18 13:26 You better not print this file.txt
`echo>&2 this could have been a rm -rf YOURHOMEDIR`
address@hidden /tmp $ a2ps -o /dev/null You*
this could have been a rm -rf YOURHOMEDIR
[You better not print this file.txt `echo>&2 this could have been a rm
-rf YOURHOMEDIR` (plain): 1 page on 1 sheet]
[Total: 1 page on 1 sheet] saved into the file `/dev/null'
address@hidden /tmp $ a2ps --version
GNU a2ps 4.13
(also happens on 4.13b, FreeBSD)
Why not simply use fork/exec to be safe?
This could be a hole if someone uses a2ps in a shell script running over
a world writable directory... and it violates the principle of least
surprise (I stumbled over the bug when I had parentheses in my file
name).
I think it should be easy to fix... and I am currently thinking of
posting it on Full-Disclosure to warn people who perhaps actually use
a2ps like this.
Rudolf Polzer
--
/ --- Where bots rampage, I'm there to take them down! --- \
/ ------ Where trouble arises, I'm there to cause it! ------ \
\ Where an enemy tries to frag me, victory will be mine!!!1! /
{{dup[exch{dup exec}fork =}loop}dup exec >> http://www.ccc-offenbach.org <<
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- a2ps using "file -L %s" as shell argument? Huh?,
Rudolf Polzer <=