This is a multi-part message in MIME format. --------------66607E916DEA1D8D622D5F08 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Shadow wrote: > mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` " > > and someone cd's into said directory, either by accident, or whatever, > then it will cause it to actually execute. It is a vulnerability of the prompt parsing, or more specifically the \w or \W prompt escapes for showing the current directory. These get parsed before backquote parsing of the prompt string. Workaround: Make sure the variable PS1 is set to something not including the above escapes when cd'ing into directories with backquotes or $ as part of their name. Patch for bash-1.14.7 attached. bug-bashat_private has been notified. -- Henrik Nordstrom --------------66607E916DEA1D8D622D5F08 Content-Type: text/plain; charset=us-ascii; name="bash_prompt.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="bash_prompt.diff" --- parse.y.orig Thu Apr 22 11:53:01 1999 +++ parse.y Thu Apr 22 12:56:34 1999 @@ -2729,6 +2729,17 @@ #else getwd (t_string); #endif /* EFFICIENT */ + if (strcspn(t_string, slashify_in_quotes) < strlen(t_string)) { + char t_string2[MAXPATHLEN]; + int i, j; + for (i = 0, j = 0 ; t_string[i] && j < MAXPATHLEN - 2 ; i++) { + if (member(t_string[i], slashify_in_quotes)) + t_string2[j++] = '\\'; + t_string2[j++] = t_string[i]; + } + t_string2[j] = '\0'; + strcpy(t_string, t_string2); + } if (c == 'W') { --------------66607E916DEA1D8D622D5F08--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:43:27 PDT