diff options
| author | James Youngman <jay@gnu.org> | 2010-10-11 10:38:29 +0100 |
|---|---|---|
| committer | James Youngman <jay@gnu.org> | 2010-10-11 10:38:29 +0100 |
| commit | c890c6030558072b0b69823e8be47764a1cedcb5 (patch) | |
| tree | bc8b945a838db395ccdcde7512d043a25185e9fa /doc | |
| parent | 107f84e5f7b896c3d8fd40091521c42c1890458e (diff) | |
| download | findutils-c890c6030558072b0b69823e8be47764a1cedcb5.tar.gz | |
Give some references to further reading on security.
* doc/find.texi (Further Reading on Security): Give some
references to further reading on security.
* NEWS: Mention this change.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/find.texi | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/doc/find.texi b/doc/find.texi index 36b77aaf..6771dd1d 100644 --- a/doc/find.texi +++ b/doc/find.texi @@ -4824,6 +4824,7 @@ on what the system is going to do with the files found by @code{find}. * Security Considerations for xargs:: Security problems with xargs * Security Considerations for locate:: Security problems with locate * Security Summary:: That was all very complex, what does it boil down to? +* Further Reading on Security:: @end menu @@ -5299,6 +5300,33 @@ Use of the @samp{-execdir} action with @code{find} where the only trusted programs. @end table + +@node Further Reading on Security +@section Further Reading on Security + +While there are a number of books on computer security, there are also +useful articles on the web that touch on the issues described above: + +@table @url +@item http://goo.gl/DAvh +@c https://www.securecoding.cert.org/confluence/display/seccode/MSC09-C.+Character+Encoding+-+Use+Subset+of+ASCII+for+Safety +This article describes some of the unfortunate effects of allowing +free choice of file names. +@item http://cwe.mitre.org/data/definitions/78.html +Describes OS Command Injection +@item https://cwe.mitre.org/data/definitions/73.html +Describes problems arising from allowing remote computers to send +requests which specify file names of their choice +@item http://cwe.mitre.org/data/definitions/116.html +Describes problems relating to encoding file names and escaping +characters. This article is relevant to findutils because for command +lines processed via the shell, the encoding and escaping rules are +already set by the shell. For example command lines like @code{find +... -print | some-shell-script} require specific care. +@item http://xkcd.com/327/ +A humorous and pithy summary of the broader problem. +@end table + @comment node-name, next, previous, up @node Error Messages @chapter Error Messages |