bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: read -e allows execution of commands (edit-and-execute-command) as t


From: Chet Ramey
Subject: Re: read -e allows execution of commands (edit-and-execute-command) as the shell's process user
Date: Tue, 9 May 2017 16:28:51 -0400
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.1.0

On 5/9/17 12:41 AM, Eduardo Bustamante wrote:
> On Mon, May 8, 2017 at 3:09 PM, Chet Ramey <address@hidden> wrote:
>> There's no compelling reason to disallow it.  If a system administrator
>> wants to unbind certain readline commands (and unset INPUTRC!) to protect
>> against a specific use case, he is free to do that.
> 
> I agree. I changed my mind after sending that email. I still think it
> would be prudent to mention this in the docs somewhere. Perhaps a
> section on "security notes" in the manual/reference? or a mention in
> the FAQ?

        [...]

> I couldn't find any decent reference online that mentions a few of the
> "traps" that bash has in regards to secure programming (e.g. "don't
> evaluate user supplied input in arithmetical contexts without
> sanitizing!", "be careful with SHELLOPTS/xtrace/PS4!", "don't use read
> -e unless you trust the user supplying the info or know how to plug
> the holes", "don't evaluate user supplied regular expressions!")

This would be a great project for someone who wanted to help.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    address@hidden    http://cnswww.cns.cwru.edu/~chet/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]