Note: to prevent the possible spamming of my lovely bug reporters, i have
	inserted _!cut!_ into their email addys.  remove that if you want
	to get in touch with them.

Lamont Granquist <lamontg@_!cut!_raven.genome.washington.edu> writes:

> one concern:
>
> you seem to be trusting that nobody is going to be trying to do evil
> things to the directory structure to try to take advantage of security
> holes and run commands as root.  i haven't been able to produce such a
> hole, but i've been trying things like...
>
> mkdir foo\;IFS=\"%\"\;touch%bar\;/
> cd foo\;IFS=\"%\"\;touch%bar\;/
> cp ~/mycore core
>
> you may want to clean up the $each variable to eliminate anything which
> isn't in an approved character set.  while i can't prove a security hole
> anywhere, it makes me a little uneasy that you can put essentially
> anything into $each and have it get expanded by /bin/sh about 7 times."

for quick reference, as of this release, here are the "offending" lines,
pruned down for brevity:

 if [ -f "$each" ]; then
   if /usr/bin/file -b '$each'|egrep --quiet '[Cc]ore ([Ff]ile | [Dd]ump)'
   dirname=`/usr/bin/dirname '$each'`
   basename=`/usr/bin/basename '$each'`
   echo "$PROGNAME removed core file: $each"
   /bin/rm -f '$each'
 fi

i think the `[ -f $each ]` (aka `test -f $each`) line would cause any attempt
at this to fail, but /usr/bin/whoami to say.

while lamont's concern is valid, the problem is that _any_ character can be in
a directory name, so if we limited $each to a pre-defined character set, we 
would be limiting the usefulness of urmcore.  executor (the mac emulator), for
example, uses the character '%' in it's directory names 
(eg /var/opt/executor/share/home/Demoware/StuffIt Expander%AA 4.0.1 Folder/),
so if we disallowed the '%' character in directory names, we wouldn't catch 
core files in this directory.

so...there is this duality between functionality and security.  as of now i'm
going to opt for functionality.  i'm gonna port this puppy to C soon (and
extend the functionality to check for 

1) someone figures out a way to trick the above "offending" lines into actually
running something, in which case i'll s/optional/mandatory/ or
2) someone figures out a way to ensure this security without limiting the
functionality.
 
