[BUILTIN] command: allow combining -p with -v

On 10/07/13 20:18, Craig Loomis wrote:
>   Dash (0.5.7 and git master) does not implement 'command -p'
> according to the standard, and opens an intriguing security hole to
> anyone trying this scheme.
> 
>   When using 'command -v' to simply print the path to an executable,
> '-p' has no effect:

You're right. dash has never supported combining -p with -v, but back in
2005 this was seemingly accidentally changed from reporting a syntax
error to silently ignoring the -p option, only about a month after dash
moved to git.

Making sure that -p is respected even when -v is used is easy enough,
see attached patch. Tested even with explicit PATH overrides:
  PATH=/path/to/some/other/dash command -pv dash
correctly outputs /bin/dash on my system.

> the path that 'command -p cmd' uses is a compiled-in constant
> from dash's src/var.c:defpathvar, which starts with
> "/usr/local/sbin:/usr/local/bin". To me, that is both completely
> unexpected and pretty scary -- /usr/local/bin is (very) often less
> well secured or checked than, say, /bin:

Agreed. However, IMO, it does make sense for defpathvar to start with
/usr/local/*: it has two separate functions, it also serves as the
default path (hence the name) when dash is started with no PATH set at
all. I think fixing this should be done in a way so that command -p does
not use defpathvar, not by changing defpathvar. bash uses the same
confstr function for this that getconf uses, and it shouldn't be too
much work to make dash use that too. If no one else comes up with a
working patch or a better approach, I'll try to get that working.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

0 files changed, 0 insertions, 0 deletions