Wed, Apr 12 2006
09:35:02
|
|
Request created by hbowman
|
|
Subject: Init.sh: security issue with the PATH
Hi,
If you haven't set $GRASS_ADDON_PATH, then the path statement in Init.sh
includes "./" in the path.
e.g.
unset GRASS_ADDON_PATH
#Init.sh
PATH=$GISBASE/bin:$GISBASE/scripts:$GRASS_ADDON_PATH:$PATH
translates to
PATH=$GISBASE/bin:$GISBASE/scripts::$PATH
now the "::" part acts like ":./:" which is a security risk -- if someone
dumps a nasty script called "ls" in your home dir, bad times may ensue.
better:
if [ -n "$GRASS_ADDON_PATH" ] ; then
PATH="$GISBASE/bin:$GISBASE/scripts:$GRASS_ADDON_PATH:$PATH"
else
PATH="$GISBASE/bin:$GISBASE/scripts:$PATH"
fi
??
or if [ -d "$GRASS_ADDON_PATH" ] ; then
??
Hamish
|
|
Wed, Apr 19 2006
10:06:23
|
|
Area changed to RCbug by hbowman
|
|
Thu, Apr 20 2006
11:33:06
|
|
Status changed to resolved by hbowman
|
|
Thu, Apr 20 2006
11:33:06
|
|
Comments added by hbowman
|
|
fixed in CVS for 6.1 (HEAD), 6.0.x, and 5 branches
Hamish
|
|