[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: read -e allows execution of commands (edit-and-execute-command) as t
Re: read -e allows execution of commands (edit-and-execute-command) as the shell's process user
Tue, 9 May 2017 16:28:51 -0400
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.1.0
On 5/9/17 12:41 AM, Eduardo Bustamante wrote:
> On Mon, May 8, 2017 at 3:09 PM, Chet Ramey <address@hidden> wrote:
>> There's no compelling reason to disallow it. If a system administrator
>> wants to unbind certain readline commands (and unset INPUTRC!) to protect
>> against a specific use case, he is free to do that.
> I agree. I changed my mind after sending that email. I still think it
> would be prudent to mention this in the docs somewhere. Perhaps a
> section on "security notes" in the manual/reference? or a mention in
> the FAQ?
> I couldn't find any decent reference online that mentions a few of the
> "traps" that bash has in regards to secure programming (e.g. "don't
> evaluate user supplied input in arithmetical contexts without
> sanitizing!", "be careful with SHELLOPTS/xtrace/PS4!", "don't use read
> -e unless you trust the user supplying the info or know how to plug
> the holes", "don't evaluate user supplied regular expressions!")
This would be a great project for someone who wanted to help.
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU address@hidden http://cnswww.cns.cwru.edu/~chet/