[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash

From: Stephane Chazelas
Subject: Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey)
Date: Fri, 10 Oct 2014 15:55:47 +0100
User-agent: Mutt/1.5.21 (2010-09-15)

2014-10-10 10:17:40 -0400, Chet Ramey:
> > bash -c '(( XDG_VTNR < 7 ))
> > 
> > That allows arbitrary code execution (and can't easily be
> > fixed without breaking backward compatibility).
> > 
> > Try with "export XDG_VTNR='a[$(echo>&2 vulnerable)]'".
> Sure, and that's documented, intended, and not unique.

Is it really intended and documented that cmdsubst be performed

AFAICT, it's not useful and not consistent.

a='$(echo 1+1)' bash -c 'echo $((a))'

Doesn't work. So why would these work

a='b[$(echo 1+1)]' bash -c 'echo $((a))
a='$(echo 1+1)' bash -c 'echo $((b[a]))'

then? Where is it documented that variable, arithmetic, command, tilde and
process substitution are performed in array subscripts in indirectly
evaluated arithmetic expressions?

I can accept:

echo $((a[$(echo 1+1)]))
a[$(echo 1+1)]=2

being accepted intentionaly.

But I can't see why the content of a variable should be
interpreted as anything else than an arithmetic expression just
because it's in an array subscript.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]