Date: Sat, 8 Oct 2016 09:48:23 -0500 From: Pedro Giffuni <pfg@FreeBSD.org> To: Jilles Tjoelker <jilles@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org, Joerg Schilling <schily@schily.net> Subject: Re: svn commit: r306843 - in head/bin/sh: . tests/parameters Message-ID: <19bde483-d3d1-4e81-b56d-7692bb2e984f@FreeBSD.org> In-Reply-To: <201610081340.u98DeDxj088061@repo.freebsd.org> References: <201610081340.u98DeDxj088061@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/08/16 08:40, Jilles Tjoelker wrote: > Author: jilles > Date: Sat Oct 8 13:40:12 2016 > New Revision: 306843 > URL: https://svnweb.freebsd.org/changeset/base/306843 > > Log: > sh: Do not import IFS's value from the environment. > > Per Austin group issue #884, always set IFS to $' \t\n'. As before, IFS will > be exported iff it was in the environment. > > Most shells (e.g. bash, ksh93 and mksh) already did this. This change > improves predictability, in that scripts can simply rely on the default > value. > > However, the effect on security is little, since applications should not be > calling the shell with attacker-controlled environment variable names in the > first place and other security-sensitive variables such as PATH should be > and are imported by the shell. > > When using a new sh with an old (before 10.2) libc wordexp(), IFS is no > longer passed on. Otherwise, wordexp() continues to pass along IFS from the > environment per its documentation. > > Discussed with: pfg > Relnotes: yes > For the record, the idea was suggested originally by Joerg Schilling. Thanks! Pedro.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19bde483-d3d1-4e81-b56d-7692bb2e984f>