Re: UGU file rename script (GOLF?)

While you're golfing, you might want to add the tiniest bit of security, for heaven's sake. String eval is a potentially very bad thing.

rename '`rm -rf /`' foo

Comment on Re: UGU file rename script (GOLF?) Download Code
Re: Re: UGU file rename script (GOLF?) by chipmunk (Parson) on Jul 20, 2001 at 01:37 UTC
`rm -rf /` in an eval would execute rm with the user's own permissions. If the user can run rename '`rm -rf /`' on the command line, they could just as easily run `rm -rf /` directly. In other words, as long as you don't do something foolish like make the rename script setuid or create a web interface to it, I would argue that this script has no inherent security issues.	[reply] [d/l] [select]
Re: Re: Re: UGU file rename script (GOLF?) by myocom (Deacon) on Jul 20, 2001 at 01:49 UTC
I understand that it would execute rm with the user's own permissions. And that may not be a problem for this particular application (though I would never deploy it on my network). I'm more concerned that this sort of code will get passed on to a different application (cargo-cult style), where security does matter. To my thinking, there should at least be a comment about security in there by the `eval`.	[reply] [d/l]