[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bash is incorrectly and inconsistently expanding tilde in $PATH
From: |
Ángel |
Subject: |
Re: Bash is incorrectly and inconsistently expanding tilde in $PATH |
Date: |
Thu, 04 May 2017 23:00:10 +0200 |
On 2017-05-04 at 10:11 -0500, Eduardo Bustamante wrote:
> On Thu, May 4, 2017 at 10:01 AM, Greg Wooledge <wooledg@eeg.ccf.org> wrote:
> [...]
> > Without taking a side on whether this is a security bug in bash, I will
> > support the idea that users who put ~/bin (or similar) in PATH should
> > be educated to make sure the ~ is expanded, rather than literal. This
> > will protect them even if bash gets patched, because most of them will
> > still be using an older/unpatched version.
>
> So should bash print a warning whenever it performs tilde expansion in
> one of the PATH components? (similar to the warning it prints when
> discarding NUL bytes).
No. IMHO the fix would be to expand ~ at assignment time, even when
quoted, ie. PATH='~/bin' would be equivalent to PATH=~/bin
Thus, assignments of ~/whatever done in bash would continue working, and
descendants using a execvp() function would not find a bare tilde but
the expanded path, which is the 'expected' thing.
(And for people that really want a literal ~ in PATH, that is already
«broken» in bash, so if they expect that to be kept, they should not be
doing so within bash)
Re: Bash is incorrectly and inconsistently expanding tilde in $PATH, Chet Ramey, 2017/05/06