[ minicom-Bugs-300083 ] threatening: shell expansion done for filenames
noreply@alioth.debian.org
noreply@alioth.debian.org
Tue, 12 Aug 2003 22:16:02 +0200
Bugs item #300083, was opened at 2003-08-13 00:16
You can respond by visiting:
http://alioth.debian.org/tracker/?func=detail&atid=100031&aid=300083&group_id=31
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Ivan Zakharyaschev (imz-guest)
Assigned to: Nobody (None)
Summary: threatening: shell expansion done for filenames
Initial Comment:
As evidenced by the following example, filenames of the
files sent via Zmodem are subject to shell expansion --
that's dangerous for the rest of the system since a
minicom user can unintentionally peform a very bad
action by sending a file with a special name. A normal
user would expect that a filename selected from a list
would not be expanded.
Example:
...running bash...
$ echo a > a\
$ minicom
Ctrl-A S, select zmodem, then select the file from the
list with some special name, e.g., a`wall hi`, Enter
As the result, "wall hi" is executed.
Originally reported by Pilot at
http://bugs.altlinux.ru/view_bug_advanced_page.php?f_id=0002772
(in Russian).
----------------------------------------------------------------------
You can respond by visiting:
http://alioth.debian.org/tracker/?func=detail&atid=100031&aid=300083&group_id=31