This is the mail archive of the libc-alpha@sources.redhat.com mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: getopt() argument permuting considered risky

From: "Michael T Kerrisk" <mtk-lists at gmx dot net>
To: Paul Eggert <eggert at CS dot UCLA dot EDU>
Cc: libc-alpha at sources dot redhat dot com,geoff at gclare dot org dot uk
Date: Wed, 4 Aug 2004 21:31:10 +0200 (MEST)
Subject: Re: getopt() argument permuting considered risky
References: <87llgured9.fsf@penguin.cs.ucla.edu>

Hello Paul,

> "Michael T Kerrisk" <mtk-lists@gmx.net> writes:
> 
> >    $ grep string "$user_supplied_filename"
> 
> > would normally be safe
> 
> No it wouldn't.  If $user_supplied_filename is "-" it reads stdin,
> which typically will break the script.

Yes, but we can construct other examples that don't involve 
the interpretation of "-" by particular applications.

> This whole line of argument is a bit suspect.  Any paranoid script
> should be vetting user-supplied-filenames anyway.  And slapdash
> scripts are likely to be broken for many other reasons.  I don't think
> the problem here is a serious one.

Maybe.  My point is that glibc's getopt() behaviour introduces a 
behaviour not present on other Unix systems.  There are certain
cases where vetting never was needed on those system, but is
required on glibc platforms.

> > 1. What are the chances of having this feature removed 
> >     from glibc's getopt()?
> 
> Unlikely.  

Yes, well I guessed as much ;-).

> The code has been in the field for decades.  Like it or
> not, it was put in there by someone who knew the POSIX spec well (and
> even contributed to the spec, if memory serves).  Many people rely on
> the current behavior.
> 
> As a practical matter, portable scripts cannot assume the
> POSIX-specified behavior here.  

You mean because of the glibc behaviour?  Or are you making some 
more general point?

> At this point, I suspect it's more
> likely that the POSIX spec will get changed than glibc.
> 
> > 2. Perhaps Linux distributors should be setting 
> >    POSIXLY_CORRECT in their default shell start-up 
> >    files?
> 
> No, POSIXLY_CORRECT breaks too many things.  And I don't like the idea
> of GETOPT_POSIXLY_CORRECT either; it's not worth the hassle and opens
> the floodgates for more XXX_POSIXLY_CORRECT vars.  Just fix your
> scripts, if they're broken.  This is the least of your worries.

I don't have any broken scripts.  The whole point of this note was 
to raise what looks like a security risk when porting scripts and 
programs.  I'm still not convinced that such risks don't exist, but 
I'm also not sure how large they are.

Cheers,

Michael

-- 
Michael Kerrisk
mtk-lists@gmx.net

NEU: WLAN-Router für 0,- EUR* - auch für DSL-Wechsler!
GMX DSL = supergünstig & kabellos http://www.gmx.net/de/go/dsl

Follow-Ups:
- Re: getopt() argument permuting considered risky
  - From: Roland McGrath
- Re: getopt() argument permuting considered risky
  - From: Paul Eggert

References:
- Re: getopt() argument permuting considered risky
  - From: Paul Eggert

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]