This is the mail archive of the
libc-alpha@sources.redhat.com
mailing list for the glibc project.
Re: getopt() argument permuting considered risky
- From: "Michael T Kerrisk" <mtk-lists at gmx dot net>
- To: Paul Eggert <eggert at CS dot UCLA dot EDU>
- Cc: libc-alpha at sources dot redhat dot com,geoff at gclare dot org dot uk
- Date: Wed, 4 Aug 2004 21:31:10 +0200 (MEST)
- Subject: Re: getopt() argument permuting considered risky
- References: <87llgured9.fsf@penguin.cs.ucla.edu>
Hello Paul,
> "Michael T Kerrisk" <mtk-lists@gmx.net> writes:
>
> > $ grep string "$user_supplied_filename"
>
> > would normally be safe
>
> No it wouldn't. If $user_supplied_filename is "-" it reads stdin,
> which typically will break the script.
Yes, but we can construct other examples that don't involve
the interpretation of "-" by particular applications.
> This whole line of argument is a bit suspect. Any paranoid script
> should be vetting user-supplied-filenames anyway. And slapdash
> scripts are likely to be broken for many other reasons. I don't think
> the problem here is a serious one.
Maybe. My point is that glibc's getopt() behaviour introduces a
behaviour not present on other Unix systems. There are certain
cases where vetting never was needed on those system, but is
required on glibc platforms.
> > 1. What are the chances of having this feature removed
> > from glibc's getopt()?
>
> Unlikely.
Yes, well I guessed as much ;-).
> The code has been in the field for decades. Like it or
> not, it was put in there by someone who knew the POSIX spec well (and
> even contributed to the spec, if memory serves). Many people rely on
> the current behavior.
>
> As a practical matter, portable scripts cannot assume the
> POSIX-specified behavior here.
You mean because of the glibc behaviour? Or are you making some
more general point?
> At this point, I suspect it's more
> likely that the POSIX spec will get changed than glibc.
>
> > 2. Perhaps Linux distributors should be setting
> > POSIXLY_CORRECT in their default shell start-up
> > files?
>
> No, POSIXLY_CORRECT breaks too many things. And I don't like the idea
> of GETOPT_POSIXLY_CORRECT either; it's not worth the hassle and opens
> the floodgates for more XXX_POSIXLY_CORRECT vars. Just fix your
> scripts, if they're broken. This is the least of your worries.
I don't have any broken scripts. The whole point of this note was
to raise what looks like a security risk when porting scripts and
programs. I'm still not convinced that such risks don't exist, but
I'm also not sure how large they are.
Cheers,
Michael
--
Michael Kerrisk
mtk-lists@gmx.net
NEU: WLAN-Router für 0,- EUR* - auch für DSL-Wechsler!
GMX DSL = supergünstig & kabellos http://www.gmx.net/de/go/dsl