From 65ae84b3d67425e16b85273e566d06ae942dcce9 Mon Sep 17 00:00:00 2001 From: Harald van Dijk Date: Fri, 26 Sep 2014 16:35:15 +0800 Subject: [BUILTIN] command: allow combining -p with -v On 10/07/13 20:18, Craig Loomis wrote: > Dash (0.5.7 and git master) does not implement 'command -p' > according to the standard, and opens an intriguing security hole to > anyone trying this scheme. > > When using 'command -v' to simply print the path to an executable, > '-p' has no effect: You're right. dash has never supported combining -p with -v, but back in 2005 this was seemingly accidentally changed from reporting a syntax error to silently ignoring the -p option, only about a month after dash moved to git. Making sure that -p is respected even when -v is used is easy enough, see attached patch. Tested even with explicit PATH overrides: PATH=/path/to/some/other/dash command -pv dash correctly outputs /bin/dash on my system. > the path that 'command -p cmd' uses is a compiled-in constant > from dash's src/var.c:defpathvar, which starts with > "/usr/local/sbin:/usr/local/bin". To me, that is both completely > unexpected and pretty scary -- /usr/local/bin is (very) often less > well secured or checked than, say, /bin: Agreed. However, IMO, it does make sense for defpathvar to start with /usr/local/*: it has two separate functions, it also serves as the default path (hence the name) when dash is started with no PATH set at all. I think fixing this should be done in a way so that command -p does not use defpathvar, not by changing defpathvar. bash uses the same confstr function for this that getconf uses, and it shouldn't be too much work to make dash use that too. If no one else comes up with a working patch or a better approach, I'll try to get that working. Signed-off-by: Herbert Xu --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 2a39e34..2fbc628 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2014-09-26 Harald van Dijk + + * command: allow combining -p with -v. + 2013-08-23 Herbert Xu * Propagate EXP_QPAT in subevalvar. -- cgit 1.4.1