From owner-cvs-all Tue Aug 8 23:11:20 2000 Delivered-To: cvs-all@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 70A7637B7D2; Tue, 8 Aug 2000 23:11:09 -0700 (PDT) (envelope-from ben@scientia.demon.co.uk) Received: from strontium.scientia.demon.co.uk ([192.168.91.36] ident=exim) by scientia.demon.co.uk with esmtp (Exim 3.15 #1) id 13MP4u-000Ci5-00; Wed, 09 Aug 2000 07:11:00 +0100 Received: (from ben) by strontium.scientia.demon.co.uk (Exim 3.15 #1) id 13MP4x-0003pw-00; Wed, 09 Aug 2000 07:11:03 +0100 Date: Wed, 9 Aug 2000 07:11:03 +0100 From: Ben Smithurst To: Kris Kennaway Cc: Brian Somers , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc rc Message-ID: <20000809071103.U65753@strontium.scientia.demon.co.uk> References: <200008082256.XAA03062@hak.lan.Awfulhak.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Kris Kennaway wrote: > On Tue, 8 Aug 2000, Brian Somers wrote: > >> How is it vulnerable to files with spaces ? I have specifically >> tested this with filenames containing embedded spaces and ^Hs and the >> like. > > Oops, I misread the effect of this line: > > + cd "$dir" && ls | while read file > > I assumed the 'read' would just take the next word. I think this will still break for filenames which either begin or end with a space, or contain a newline. Why not just use 'for file in .* *; do ...; done' which would seem safer? -- Ben Smithurst / ben@FreeBSD.org / PGP: 0x99392F7D FreeBSD Documentation Project / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message