[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Arithmetic + array allows for code injection

From: Greg Wooledge
Subject: Re: Arithmetic + array allows for code injection
Date: Fri, 30 May 2014 14:08:14 -0400
User-agent: Mutt/

On Fri, May 30, 2014 at 08:57:42PM +0300, Pierre Gaston wrote:
> It doesn't seem right for code looking as innocent as $((a[$i])) or
> $((a["$i"])) to allow running arbitrary commands for some value of i, that
> are no even that clever:
> $ i='$( echo >&2 an arbitrary command )';:  $((a["$i"]))
> an arbitrary command
> $ i='"$( echo >&2 an arbitrary command)"';: $((a[$i]))
> an arbitrary command

A workaround is to avoid the explicit $i inside the square brackets:

imadev:~$ i='$(date)'; : $((a[$i]))
bash: Fri May 30 14:05:34 EDT 2014: syntax error in expression (error token is 
"May 30 14:05:34 EDT 2014")
imadev:~$ i='$(date)'; : $((a[i]))
bash: $(date): syntax error: operand expected (error token is "$(date)")

I don't dispute the need to fix it, though.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]