[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is this exploitable?

From: Greg Wooledge
Subject: Re: Is this exploitable?
Date: Mon, 11 May 2009 08:20:54 -0400
User-agent: Mutt/

On Mon, May 11, 2009 at 10:35:18AM +1000, Jon Seymour wrote:
> I am trying to parse untrusted strings and represent in a form that
> would be safe to execute.

printf "%q"

> cmd="echo"
> for a in "$@"
> do
>     cmd="$cmd '${a/\'/''}'"
> done
> echo "$cmd"
> eval "$cmd"

http://mywiki.wooledge.org/BashFAQ/050 - I'm trying to put a command in
a variable, but the complex cases always fail!

Your escaping is wrong in any event.  You don't escape an apostrophe
by putting another apostrophe in front of it.  I.e., this is NOT valid
bash syntax:

  echo 'can''t'

This is:

  echo 'can'\''t'

Also, your parameter expansion is only handling the FIRST apostrophe
in each argument.  That's surely not enough.

As I said earlier: printf "%q"

> Is my code safe, or can someone maliciously choose arguments to
> as-echo.sh that could cause it (as-echo.sh) to do something other than
> write to stdout?

imadev:~$ ./as-echo.sh ls "can't';date'"
 'ls' 'can''t';date''
cant not found
Mon May 11 08:19:33 EDT 2009

reply via email to

[Prev in Thread] Current Thread [Next in Thread]