Re: MC shell scripts

• Previous message: Aleph One: "CERT Vendor-Initiated Bulletin VB-98.01 - excite"
• Maybe in reply to: Micha³ Zalewski: "MC shell scripts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I discovered a problem with Midnight Commander's method of decompressing
> archives, which allows execution of hidden commands. Evil file may be
> prepared this way:
>
> $ gzip foo
> $ mv foo.gz "quake2-test-unknown-linux-'\`rm -f *\`'-elf-i386-generic-beta.gz"
>
> Now, this filename, when displayed by user-friendly programs (www or
> ftp browsers, file managers), will be cropped to fit in a window :)
> Under my mc (vidmode 11) it's displayed as:

This problem has been fixed in the recent editions of the GNU Midnight
Commander by Norbert Warmuth.  Recent version of the GNU Midnight
Commander do not have this problem.

To get a recent version of the program, check:

        ftp://ftp.nuclecu.unam.mx/linux/local

For the latest stable release of the program.

Best wishes,
Miguel.

• Next message: Steve Bellovin: "Re: Java reboots win95 (or any java-enabled browser)"
• Previous message: Aleph One: "CERT Vendor-Initiated Bulletin VB-98.01 - excite"
• Maybe in reply to: Micha³ Zalewski: "MC shell scripts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:39:58 PDT