[GRASS5] [bug #4281] (grass) Init.sh: security issue with the PATH
Request Tracker
grass-bugs at intevation.de
Wed Apr 12 03:35:02 EDT 2006
this bug's URL: http://intevation.de/rt/webrt?serial_num=4281
-------------------------------------------------------------------------
Subject: Init.sh: security issue with the PATH
Hi,
If you haven't set $GRASS_ADDON_PATH, then the path statement in Init.sh
includes "./" in the path.
e.g.
unset GRASS_ADDON_PATH
#Init.sh
PATH=$GISBASE/bin:$GISBASE/scripts:$GRASS_ADDON_PATH:$PATH
translates to
PATH=$GISBASE/bin:$GISBASE/scripts::$PATH
now the "::" part acts like ":./:" which is a security risk -- if someone
dumps a nasty script called "ls" in your home dir, bad times may ensue.
better:
if [ -n "$GRASS_ADDON_PATH" ] ; then
PATH="$GISBASE/bin:$GISBASE/scripts:$GRASS_ADDON_PATH:$PATH"
else
PATH="$GISBASE/bin:$GISBASE/scripts:$PATH"
fi
??
or if [ -d "$GRASS_ADDON_PATH" ] ; then
??
Hamish
-------------------------------------------- Managed by Request Tracker
More information about the grass-dev
mailing list