[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Unexpected code injection with [[ -v ]]

From: Chet Ramey
Subject: Re: Unexpected code injection with [[ -v ]]
Date: Tue, 10 Nov 2020 12:12:14 -0500
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.4.0

On 11/9/20 6:29 PM, Greg Wooledge wrote:
> bash version 5.0.3(1)-release, Debian package 5.0-4, amd64.
> Prompted by a discussion with someone in IRC.
> unicorn:~$ key='$(date >&2)'
> unicorn:~$ declare -A aa
> unicorn:~$ aa[$key]=foo
> unicorn:~$ echo "${aa[$key]}"
> foo
> unicorn:~$ [[ -v aa[$key] ]]
> Mon Nov  9 18:17:30 EST 2020
> bash: aa: bad array subscript
> unicorn:~$ [[ -v 'aa[$key]' ]]
> unicorn:~$ 
> It's well-known that handing an unsanitized index to an *indexed* array
> causes code injection when the index is evaluated in a math context, but
> the code injection from -v with an *associative* array is a new one to me.
> It's especially confusing because it doesn't happen with assignments or
> expansions -- just with -v.

When executing the conditional command, each word is expanded once. The
difference between [[ and [ is that the word isn't split, and that's why
you get an error when you try this with test/[. Then the array subscript is
expanded to determine whether or not it's set, as usual.

When you use assignments or expansions, the subscript is expanded once.

``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/

reply via email to

[Prev in Thread] Current Thread [Next in Thread]