[4959] in bugtraq
Re: procmail
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Mon Jul 21 13:34:35 1997
Date: Mon, 21 Jul 1997 18:11:36 +0200
Reply-To: Olaf Kirch <okir@MONAD.SWB.DE>
From: Olaf Kirch <okir@MONAD.SWB.DE>
X-To: Casper Dik <casper@HOLLAND.SUN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 21 Jul 1997 16:50:56 +0200."
<199707211451.QAA05400@albano>
On Mon, 21 Jul 1997 16:50:56 +0200, Casper Dik wrote:
> Shells will not honor meta characters inside variables.
>
> The shell will first parse (the phase in which meta chacretsr and keywords
> are detected) and only then will it do variabel substitution.
>
> Then it'll split stuff in words and only then wildcard expansion is done.
There's some weird effect with tcsh (I don't know if that's standard csh
behavior). When your shell script does a `set foo=$1' and the first
argument is "xx PATH=~ftp/incoming:/usr/bin:/bin" it will do two
simultaenous variable assignments, and thus overwrite the PATH variable
with the string the attacker specified.
Not sure if that qualifies as metacharacter expansion, but it's definitely
scary:-) Metamail had this problem, fwiw.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
