Weaponized file name flaw makes updating glob an urgent job Researchers have urged users of the glob file pattern matching library to update their installations, after discovery of a years-old remote code execution flaw in the tool's CLI. Glob is used to find files using wildcards, is typically run as a library API, and is an all but universal part of the JavaScript stack. This …
"suid shell script"
I, possibly mistakenly, thought modern systems didn't support those. Shells themselves get a bit noisy if you set them suid root ie when euid ≠ ruid.
Of course you can always try fiddling with Linux capabilities to get the same effect. ;)
"Haven't we learned anything in nearly half a century ? "
Clearly not—in pretty much in any domain one might consider.
There is the point. You've said "modern", the OP said "when Vaxen strolled the Earth" (DEC VAXes were popular BSD UNIX platforms in the late 1970's and '80's, although several other UNIX flavours were available for VAX). Removing the ability to have a suid-on-execution for a shell script happened around the late 1980's. I certainly remember using them, and explaining to early IBM RS/6000 users exactly why IBM and other UNIX vendors had removed the feature.
Well, we did learn that suid shell scripts were a really bad thing quite a long time ago (35 years or more). CI/CO by tools is something that has come along more recently, and has introduced new problems, mainly to do with other forms of implied trust.
But calling a file "-i" was a common practice to protect a directory from an "rm *". Because "-i" almost always sorts early in most collating sequences, it turned "rm *" into "rm -i <rest of files>". Just never create a file "-rf"!
UNIX like OS's have always been very unfussy about what characters can appear in a filename. I'm sure there may be a few more, but off the top of my head, the only characters that are definitely not allowed are "/" and NULL. Your friends when trying to see/fix awkward characters are the "-b" flag on ls, and octal character expansion in shells. Even this has become more complicated as a result of multi-byte character sets and collating sequences.
I don't think so. Drone incursions over sensitive locations have been a thing for several years now, and the single abiding characteristic is that the authorities in all western nations wring their hands whilst actually doing next to nothing, caught few if any perpetrators, and have set up no adequate perimeter defences. Not even basic stuff like drone on drone fighters, or a bloke with a long range shotgun or similar.
The only weapon that governments have deployed is the prattle gun, and we know how effective that is.
I'm sure I won't have been the only person who thought, from the insufficiently clear article title, and until a good way through the second paragraph, that the glob being referred to was the glob functionality in one or more shells that would need updating, rather than yet another JavaScript library issue…
Two more words, that's all that it needed (and it wouldn't even have wrecked the rhyming at all):
Weaponized file name flaw makes updating JavaScript library glob an urgent job
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
