[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Command name dequote does not work
From: |
Dan Douglas |
Subject: |
Re: Command name dequote does not work |
Date: |
Tue, 15 Apr 2014 11:00:35 -0500 |
User-agent: |
KMail/4.12.4 (Linux/3.14.0-pf1+; KDE/4.12.4; x86_64; ; ) |
On Tuesday, April 15, 2014 05:46:07 PM Ralf Goertz wrote:
> I am not the OP but on OpenSuse 13.1 I have
>
> $ type dequote
> dequote is a function
> dequote ()
> {
> eval printf %s "$1" 2> /dev/null
> }
If you're already aware, for the benefit of others, that's a very dangerous
function. The right argument allows arbitrary code execution if it contains
e.g. a semicolon to delimit a new command. "dequote" is a deceptive name there.
I hope that isn't some distro's default bashrc.
$ ( evil() { echo "evil here"; }; dequote() { eval printf %s "$1" 2> /dev/null;
}; set -x; dequote "; evil" )
+ dequote '; evil'
+ eval printf %s '; evil'
evil here
--
Dan Douglas