Re: Command name dequote does not work

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Command name dequote does not work

From:	Dan Douglas
Subject:	Re: Command name dequote does not work
Date:	Tue, 15 Apr 2014 11:00:35 -0500
User-agent:	KMail/4.12.4 (Linux/3.14.0-pf1+; KDE/4.12.4; x86_64; ; )

On Tuesday, April 15, 2014 05:46:07 PM Ralf Goertz wrote:       
> I am not the OP but on OpenSuse 13.1 I have
> 
> $ type dequote
> dequote is a function
> dequote () 
> { 
>     eval printf %s "$1" 2> /dev/null
> }

If you're already aware, for the benefit of others, that's a very dangerous 
function. The right argument allows arbitrary code execution if it contains 
e.g. a semicolon to delimit a new command. "dequote" is a deceptive name there. 
I hope that isn't some distro's default bashrc.

$ ( evil() { echo "evil here"; }; dequote() { eval printf %s "$1" 2> /dev/null; 
}; set -x; dequote "; evil" )
+ dequote '; evil'
+ eval printf %s '; evil'
evil here

-- 
Dan Douglas

[Prev in Thread]

Current Thread

[Next in Thread]

Command name dequote does not work, ingo . krabbe, 2014/04/15
- Re: Command name dequote does not work, Dan Douglas, 2014/04/15
  - Re: Command name dequote does not work, ingo . krabbe, 2014/04/15
    - Re: Command name dequote does not work, Eduardo A . Bustamante López, 2014/04/15
- Re: Command name dequote does not work, Pierre Gaston, 2014/04/15
- Re: Command name dequote does not work, Chet Ramey, 2014/04/15
  - Re: Command name dequote does not work, Ralf Goertz, 2014/04/15
    - Re: Command name dequote does not work, Dan Douglas <=

Prev by Date: Re: Command name dequote does not work
Next by Date: Re: Command name dequote does not work
Previous by thread: Re: Command name dequote does not work
Next by thread: Another direxpand problem in 4.3?
Index(es):
- Date
- Thread