unshar business

Jim Budler jim at eda.com
Fri Dec 16 08:48:26 AEST 1988 

In article <164 at ecicrl.UUCP> clewis at ecicrl.UUCP (Chris Lewis) writes:
| In article <395 at eda.com> jim at eda.com (Jim Budler) writes:
| >In article <7876 at well.UUCP> Jef Poskanzer <jef at rtsg.ee.lbl.gov> writes:
| >| Well, I have looked at Cathy's program, all 93 lines of it, and unless
| >| I'm reading it wrong she wasn't paying much attention either.....
[...]
| >I may modify the source to disallow any '/'.

First, you totally ignored the statement above.

| 
| How about placing the following into "../../../rnews"?  
| 
| 	for i in /bin/*
| 	do
| 		od $i | mail root
| 	done
| 

Second, though partially my fault since I failed to mention I run here
program under chroot(2). So there is no od(1), and no mail(1), and now
there is not even a sed(1) available.

| I'd say that was a little more than limited to the news heirarchy.  If you're
| gonna do this right, you gotta be really paranoid.
| 
| >| By the way, uns.c uses a fixed size buffer, only 256 characters long.
| >| I have right here in my home directory a shar file with a 288 character
| >| line.
| 
| >It was I beieve, designed to unpack maps, not general shar files.
| 
| Gee, it wouldn't be using gets would it? ;->
| 
| Come on guys - if this were war, you'd be trashed already.  Half measures
| are usually worse than none at all - being lulled by a false sense of 
| security.

Like I said, above, I do not use uns without some protective wrapping around
it, so I doubt it.

Now, I'll get down to what I really feel about this whole subject:

	1) Someone supplied some source code, presented as a possible
	solution to a problem.

	2) It wasn't perfect 8^) But then neither is sendmail, ftpd,
	fingerd, and many other programs, including basically Unix(tm).

	3) You supplied neither a better solution, nor helped to
	fix it in any positive way ( or did I miss your posting of
	the traditional Usenet source code assistance, a diff).

Cathy's program, slightly modified, wrapped within an edit of 
Mr. Quartermain's uuhosts script and mapsh program, increased 
the security of unpacking the maps.

What did your postings really contribute? 

And no I haven't finished my mods to the program, yet, so I know
it isn't perfect yet, and given your response to less than perfection
I may never post it, but instead sit here more secure, in the grand
tradition of all those who sat back and said "I've known about that
hole for years." Why post source, I'll just get flames from the
perfect people out there. <----- *more sarcasm*

| -- 
| Chris Lewis, Markham, Ontario, Canada

Like I said lighten up.

jim


-- 
Jim Budler   address = uucp: ...!{decwrl,uunet}!eda!jim OR domain: jim at eda.com
#define disclaimer	"I do not speak for my employer"
#define truth       "I speak for myself"
#define result      "variable"

More information about the Comp.unix.wizards mailing list