bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: currently doable? Indirect notation used w/a hash


From: Chris F.A. Johnson
Subject: Re: currently doable? Indirect notation used w/a hash
Date: Mon, 10 Jun 2013 11:24:46 -0400 (EDT)
User-agent: Alpine 2.02 (DEB 1266 2009-07-14)

On Mon, 10 Jun 2013, Greg Wooledge wrote:

On Mon, Jun 10, 2013 at 10:23:10AM -0400, Chris F.A. Johnson wrote:
On Mon, 10 Jun 2013, Chris Down wrote:

Enjoy your arbitrary command execution.

   Can you give me an example, using the code I posted, where that would
   happen?

On 10 Jun 2013 14:15, "Chris F.A. Johnson" <chris@cfajohnson.com> wrote:
eval "array=( \"\${$1[@]}\" )"

imadev:~$ foobar() { set -x; eval "array=( \"\${$1[@]}\" )"; }
imadev:~$ foobar 'a}"); date; b=("${q'
+ foobar 'a}"); date; b=("${q'
+ set -x
+ eval 'array=( "${a}"); date; b=("${q[@]}" )'
++ array=("${a}")
++ date
Mon Jun 10 10:31:41 EDT 2013
++ b=("${q[@]}")

A really clever attack wouldn't leave those extra variables lying around,
either.  I stopped at "working" and didn't spend the extra time for
"clever".

  Point taken, but the only way such a string would be passed as a
  variable name is if it was given as user input -- which would,
  presumably, be sanitized before being used. Programming it literally
  makes as much sense as 'rm -rf /'.

--
   Chris F.A. Johnson, <http://cfajohnson.com/>
   Author:
   Pro Bash Programming: Scripting the GNU/Linux Shell (2009, Apress)
   Shell Scripting Recipes: A Problem-Solution Approach (2005, Apress)



reply via email to

[Prev in Thread] Current Thread [Next in Thread]