In my .bashrc, I include ~/.local/bin in $PATH, in order to run user-local applications. find’s -execdir option refuses to run when . is in $PATH, as it would allow overriding the invoked binaries (note that my case is, in fact, a false positive w.r.t. the threat described in find’s man page).
find: The relative path ‘~/.local/bin/’ is included in the PATH environment variable, which is insecure in combination with the -execdir action of find. Please remove that entry from $PATH
Suggested remedy:
For the use case, the -exec option of find would work just as well, and does not have the related security implications or the consequent checks
Context:
In my
.bashrc
, I include~/.local/bin
in$PATH
, in order to run user-local applications.find
’s-execdir
option refuses to run when.
is in$PATH
, as it would allow overriding the invoked binaries (note that my case is, in fact, a false positive w.r.t. the threat described infind
’s man page).Command run:
Expected result:
Firmware files are unpacked/repacked
Actual result:
repack.sh
fails with the following error:Suggested remedy:
For the use case, the
-exec
option offind
would work just as well, and does not have the related security implications or the consequent checks