Re: Default PATH setting - reduce to something more sensible?

On 2025-01-27, Keith Thompson <Keith.S.Thompson+u@gmail.com> wrote:

Lawrence D'Oliveiro <ldo@nz.invalid> writes:

On Mon, 27 Jan 2025 15:48:21 +1100, Alexis wrote:

Lawrence D'Oliveiro <ldo@nz.invalid> writes:

But you can use “∕” in a file/directory name.

 
Not in a POSIX-conforming way:

>
    ldo@theon:trydir> mkdir f1
    ldo@theon:trydir> touch f1/f2
    ldo@theon:trydir> touch f1∕f2

[...]
>
Yes, yes, we all know what you're saying, and we all hope you've
enjoyed the attention.

He's making some irrelevant point about being able to use the
U+2215 "DIVISION SLASH" character in a path name, UTF-8 encoded.

Sure, Unicode character confusion can have security implications.

For instance, I'm guessing that if you call GetCommandLineA
on Windows on an input string containing U+2215, it will likely
map it to the ASCII slash. Which means that there is now a path
separator which wasn't there.

If a user is operating some program which calls another program, passing
arguments to it, and that calling program validates against the use of
certain paths for security reasons, that user may be able to use this to
escape from the sandbox. For instance something like "../bar"
can be written with U+2215 slashes, so that it validates as a simple
file name; but upon mapping to ASCII, it becomes two components, one
of which escapes upward out of the working directory.

I don't suspect this problem intersects with the issue we are talking
about, but it's hard to be sure about a negative without doing a bunch
of work.

The ability to use a Unicode slash in a filename on POSIX systems,
thanks to UTF-8, is mostly a good thing, in my view.

--
TXR Programming Language: http://nongnu.org/txr
Cygnal: Cygwin Native Application Library: http://kylheku.com/cygnal
Mastodon: @Kazinator@mstdn.ca