Open Meekohi opened 5 years ago
I think it'd be pretty easy to construct a scenario where this is a serious security problem
Please go ahead. You will not be able to though (or at least I do not think you will). Bash will strip # and any characters to the end of the line before even considering executing the line.
Not true, unfortunately.
meekohi ~$ echo test # test
test
meekohi ~$ echo test# test
test# test
This was supposed to be fixed a while ago: https://github.com/conda/constructor/commit/3210963e1914e4e6f6db9da36a8b846ebcb649d0 🤔
Weird, looks right to me as well... any chance that commit just didn't make it into the 2018.12 installer for some reason?
Actual Behavior
Installing with the "Python 3.7 Anaconda 2018.12 for macOS Installer" (https://repo.anaconda.com/archive/Anaconda3-2018.12-MacOSX-x86_64.pkg)
During installation, when updating
.bash_profile
, the new content doesn't start with a new line. If your original.bash_profile
ends without a new-line, this can create a broken line, for example in my case:Expected Behavior
The lines added by Anaconda should begin with a newline:
Steps to Reproduce
Have a
.bash_profile
that doesn't end with a new line. Do a fresh install.Anaconda or Miniconda version:
I used https://repo.anaconda.com/archive/Anaconda3-2018.12-MacOSX-x86_64.pkg for this, I don't know if this is OSX only or if it effects other platform.s
Operating System:
OSX
Urgent?
I think it'd be pretty easy to construct a scenario where this is a serious security problem. In my case it was obvious something was wrong and none of the additional files existed, but an exercise to the reader to create one that fails silently.