In response to the comments left on my previous entry about executable configuration files I've changed the way that tscreen works.
There is still support for using an arbitrary shell script or binary as a configuration file, but you must be explicit to enable it:
# # Load the dynamic section, if it exists. # if -x ~/.tscreen.dynamic 'source ~/.tscreen.dynamic|'
The change here is the trailing "|" on the argument to the source command:
- source ~/foo/bar
Opens ~/foo/bar and parses the contents. (Assuming it exists.)
- source ~/bin/blah|
Executes ~/bin/blah and parses the output. (Assuming it exists)
I still see no security risk with the previous setup, but I'm happy to apply a little misdirection if that makes people feel better.