bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: declare a="$b" if $a previously set as array


From: Florian Weimer
Subject: Re: declare a="$b" if $a previously set as array
Date: Mon, 15 Dec 2014 00:42:51 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0

On 12/14/2014 08:45 PM, Chet Ramey wrote:
On 12/7/14 11:16 PM, Eduardo A. Bustamante López wrote:
On Sun, Dec 07, 2014 at 07:34:53PM -0800, Linda Walsh wrote:
Only if you properly quote "external input".
Well, that's the whole point, as a script writer, I don't expect to get
arbitrary code execution here:

| address@hidden:~/t$ unset var; value='[$(ls -l)]=1 [2]=2'; declare -a 
var="($value)"; declare -p var
| bash: total 0: syntax error in expression (error token is "0")

Yeah, that's what we're discussing.

Or here:
| address@hidden:~/t$ a=(1 2 3); k='a[$(ls -l)]'; echo "${a[k]}"
| bash: total 0: syntax error in expression (error token is "0")

And I *shouldn't* have to worry about that.

But the ship has sailed on this one.  Every shell that implements indexed
arrays does what bash does here.

This matches my observations. That's why I recommend not to use array variables in shell scripts:


<http://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/sect-Defensive_Coding-Shell-Types.html>

--
Florian Weimer / Red Hat Product Security



reply via email to

[Prev in Thread] Current Thread [Next in Thread]