Re: procmail

casperHOLLAND.SUN.COM

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Casper Dik: "Re: Solaris ld.so possibly vulnerable?"
• Previous message: Brock Rozen: "Re: procmail"
• In reply to: Olaf Kirch: "Re: procmail"
• Next in thread: Brock Rozen: "Re: procmail"

>On Mon, 21 Jul 1997 16:50:56 +0200, Casper Dik wrote:
>> Shells will not honor meta characters inside variables.
>>
>> The shell will first parse (the phase in which meta chacretsr and keywords
>> are detected) and only then will it do variabel substitution.
>>
>> Then it'll split stuff in words and only then wildcard expansion is done.
>
>There's some weird effect with tcsh (I don't know if that's standard csh
>behavior). When your shell script does a `set foo=$1' and the first
>argument is "xx PATH=~ftp/incoming:/usr/bin:/bin" it will do two
>simultaenous variable assignments, and thus overwrite the PATH variable
>with the string the attacker specified.
>
>Not sure if that qualifies as metacharacter expansion, but it's definitely
>scary:-) Metamail had this problem, fwiw.


Most likely because Csh/Tcsh variabel assignments are treated different
from sh assignment (which are part of the syntax; in csh/tcsh they're
part of the command language)

in Csh/tcsh you must quote the assignment.

The worst thing csh/tcsh do, however, is an "eval" on the variable that
are imported to local variables (HOME->hoem, TERM-> term PATH->path, etc)

So any set-uid/set-gid C-shell script or a C-shell script "captive" login;
they're all easily broken.

This is fixed in later tcsh revisions.

There are simply too many weird things in tcsh/csh to use them as a scripting
language for scritps otehr than .login/.cshrc etc.

Casper

• Next message: Casper Dik: "Re: Solaris ld.so possibly vulnerable?"
• Previous message: Brock Rozen: "Re: procmail"
• In reply to: Olaf Kirch: "Re: procmail"
• Next in thread: Brock Rozen: "Re: procmail"