bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: currently doable? Indirect notation used w/a hash


From: Dan Douglas
Subject: Re: currently doable? Indirect notation used w/a hash
Date: Fri, 14 Jun 2013 06:02:15 -0500
User-agent: KMail/4.10.4 (Linux/3.9.4-pf+; KDE/4.10.4; x86_64; ; )

On Monday, June 10, 2013 09:39:56 AM Greg Wooledge wrote:
> > On 10 Jun 2013 14:15, "Chris F.A. Johnson" <chris@cfajohnson.com> wrote:
> > >    It is not the least bit difficult with eval:
> > >
> > > eval "array=( \"\${$1[@]}\" )"
> 
> On Mon, Jun 10, 2013 at 09:17:23PM +0800, Chris Down wrote:
> > Enjoy your arbitrary command execution.
> 
> To be fair, Chris Johnson was probably assuming a programming environment
> where the function is only callable from within the same script, and
> thus has only trustworthy arguments provided by the caller.  Sometimes,
> this is the case.  Sometimes, it isn't.
> 
> In a more general sense, using eval SAFELY requires undergoing several
> tedious steps.

You're aware of this. For the record, there should never be a situation where 
a variable name isn't guaranteed. All builtins that accept variable names, 
arithmetic variable dereferences, and indirect variable expansions are 
exploitable, not just eval. It never makes sense to have the name of some 
internal label not controlled entirely internally.

If it's a library function used by some other script, then responsibility for 
making that guarantee is inherited by the library consumer. There's no 
difference.

To validate a "parameter name" fully requires a full shell parser, because the 
subscript of an indexed array is effectively a part of its name as far as Bash 
is concerned.

-- 
Dan Douglas



reply via email to

[Prev in Thread] Current Thread [Next in Thread]