svn commit: r306843 - in head/bin/sh: . tests/parameters
Pedro Giffuni
pfg at FreeBSD.org
Sat Oct 8 14:48:29 UTC 2016
On 10/08/16 08:40, Jilles Tjoelker wrote:
> Author: jilles
> Date: Sat Oct 8 13:40:12 2016
> New Revision: 306843
> URL: https://svnweb.freebsd.org/changeset/base/306843
>
> Log:
> sh: Do not import IFS's value from the environment.
>
> Per Austin group issue #884, always set IFS to $' \t\n'. As before, IFS will
> be exported iff it was in the environment.
>
> Most shells (e.g. bash, ksh93 and mksh) already did this. This change
> improves predictability, in that scripts can simply rely on the default
> value.
>
> However, the effect on security is little, since applications should not be
> calling the shell with attacker-controlled environment variable names in the
> first place and other security-sensitive variables such as PATH should be
> and are imported by the shell.
>
> When using a new sh with an old (before 10.2) libc wordexp(), IFS is no
> longer passed on. Otherwise, wordexp() continues to pass along IFS from the
> environment per its documentation.
>
> Discussed with: pfg
> Relnotes: yes
>
For the record, the idea was suggested originally by Joerg Schilling.
Thanks!
Pedro.
More information about the svn-src-all
mailing list