From 69488205afe631b2d9489d0941d3290e1577faf9 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Dr=2E=20Andr=C3=A1s=20Korn?= <korn-github.com@elan.rulez.org>
Date: Mon, 1 Jun 2015 11:12:40 +0200
Subject: [PATCH] zshenv: avoid placing empty components in PATH; reorder
 root's PATH

zsh treats an empty PATH component ("::") as ".", which creates a
security hole. Sanitize PATH by explicitly removing empty
components.

As agreed on #grml, root's PATH should also list /usr/local/sbin
and /usr/local/bin before /sbin, /bin, /usr/sbin and /usr/bin;
and there is no harm in adding $HOME/bin unconditionally as the
first PATH component.
---
 etc/zsh/zshenv | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/etc/zsh/zshenv b/etc/zsh/zshenv
index 954ca38..d696b56 100644
--- a/etc/zsh/zshenv
+++ b/etc/zsh/zshenv
@@ -90,17 +90,21 @@ if (( EUID != 0 )); then
   )
 else
   path=(
+    $HOME/bin
+    /usr/local/sbin
+    /usr/local/bin
     /sbin
     /bin
     /usr/sbin
     /usr/bin
-    /usr/local/sbin
-    /usr/local/bin
     "${ADDONS}"
     "${path[@]}"
   )
 fi
 
+# remove empty components to avoid '::' ending up + resulting in './' being in $PATH
+path=( "${path[@]:#}" )
+
 typeset -U path
 
 # less (:=pager) options:
-- 
2.1.4