Follow-up Comment #7, bug #61009 (project findutils): >> find . -type f | xargs -F -IX -n1 cp -f X $IMGDIR_DST/X >> >> I can't find any problem with unsafe filenames. Am i wrong?
Yes: The idiom 'find -type f | xargs -IX cp X ...' is per se unsafe: `xargs -I` reads the input line by line - but yes, files can have a newline in their name! Here's a reproducer using exactly your command line (without the hypothetical -F option, obviously) to copy /etc/passwd ... although that's for sure not what the user wants: $ rm -rf src dst # cleanup. # Create a directory with in the SRC directory with a newline in the name, # and initialize the DST directory. $ mkdir -pv src/file$'\n'/etc dst/etc mkdir: created directory 'src' mkdir: created directory 'src/file'$'\n' mkdir: created directory 'src/file'$'\n''/etc' mkdir: created directory 'dst' mkdir: created directory 'dst/etc' $ cd src $ IMGDIR_DST=../dst # Create a dummy 'passwd' file therein. $ echo DUMMY > file$'\n'/etc/passwd # Add a dummy file which will hide that cp(1) will copy the wrong file. $ echo HACKED > file # Run the vulnerable command. $ find . -type f | xargs -IX -n1 cp -f X $IMGDIR_DST/X $ grep -R HACKED $IMGDIR_DST ../dst/file:HACKED $ grep -RF $(whoami) $IMGDIR_DST ../dst/etc/passwd:victim:x:1003:100::/home/victim:/bin/bash The safest way to avoid this problem is to let find(1) execute the program directly, i.e., without the 'find | xargs' idiom. Alternatively, use 'find ... -print0 | xargs -0 ...' instead. _______________________________________________________ Reply to this item at: <https://savannah.gnu.org/bugs/?61009> _______________________________________________ Message sent via Savannah https://savannah.gnu.org/