From owner-freebsd-questions  Thu Aug 14 11:17:42 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id LAA02949
          for questions-outgoing; Thu, 14 Aug 1997 11:02:45 -0700 (PDT)
Received: from twwells.com (mail@twwells.com [199.79.159.1])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id LAA02940
          for <freebsd-questions@freebsd.org>; Thu, 14 Aug 1997 11:02:40 -0700 (PDT)
Received: from news by twwells.com with local (Exim 1.62 #3)
	id 0wz47k-0003hs-00; Thu, 14 Aug 1997 13:55:52 -0400
From: bill@twwells.com (T. William Wells)
To: freebsd-questions@FreeBSD.ORG
Subject: Re: Please explain why this is a security hole in /etc/daily
Message-ID: <5su4jm$91l@twwells.com>
References: <19970812232708.44622@denver.net> <Pine.SGI.3.95.970814093912.10046A-100000@tui.pinnacle.co.nz>
Date: Thu, 14 Aug 1997 13:55:52 -0400
Sender: owner-freebsd-questions@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Filenames may have newlines in them. Create, in /tmp,
/tmp/fuckyou\n/etc/master.passwd

(\n representing a newline character); find prints

/tmp/fuckyou
/etc/master.passwd

on two separate lines. The xargs program cheerfully makes two
arguments to rm for it...and there goes your master.passwd.