This code hasn't changed since 2000, and I think we would have noticed if there was something fundamentally wrong with it. So before going off on a long analysis of shell scripting, it is best to check basics.
What have you changed? You have added an "echo" statement. Why should that matter? Because the previous line ends in a continuation marker, so you have changed what follows that. Now this seems to be fairly obscure (to me as well, not my code). http://wiki.tcl.tk/812 has some notes on the "continuation-line trick". That article does suggest that it is deprecated, but I'd be loathe to "fix" something which apparently works for thousands of users. I guess the question is why did you insert the echo statement? Were you trying to fix another problem? I am also unclear what the connection to injection attacks is? Cheers Martyn On Sun, 2009-07-26 at 14:34 -0700, James Stroud wrote: > Hello All, > > It seems that sh has a variable that exists and doesn't exist at the > same time (see my shell session below). Isn't such transition between > existence and non-existence reserved for quantum mechanics and eastern > philosophy? My guess is that sh has become more vigilant about > security and the exec statement. Can anyone venture a better guess as > to how the output below might happen? What's the best way around > this? But the real question is: Can the people at ccp4 look at this > and make changes to the code base before these kinds of security > features become more commonplace (for the good reason to prevent > injection attacks)? > > For example: > http://www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/ > > Here is my shell session: > > chernev 10% cat `which ccp4i` > #!/bin/sh > # Start ccp4i interface > # \ > echo CCP4I_TCLTK is $CCP4I_TCLTK > exec ${CCP4I_TCLTK}/bltwish "$0" -- ${1+"$@"} > source [file join $env(CCP4I_TOP) bin ccp4i.tcl] > chernev 11% > chernev 12% ccp4i > CCP4I_TCLTK is /usr/local/X11/bin > Error in startup script: can't read "CCP4I_TCLTK": no such variable > while executing > "exec ${CCP4I_TCLTK}/bltwish "$0" -- ${1+"$@"}" > (file "/usr/local/ccp4-6.1.1/bin/ccp4i" line 5) -- *********************************************************************** * * * Dr. Martyn Winn * * * * STFC Daresbury Laboratory, Daresbury, Warrington, WA4 4AD, U.K. * * Tel: +44 1925 603455 E-mail: martyn.w...@stfc.ac.uk * * Fax: +44 1925 603825 Skype name: martyn.winn * * URL: http://www.ccp4.ac.uk/martyn/ * ***********************************************************************
