[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Arbitrary command execution from test on a quoted string
|
From: |
Kerin Millar |
|
Subject: |
Re: Arbitrary command execution from test on a quoted string |
|
Date: |
Thu, 28 Oct 2021 23:24:30 +0100 |
On Thu, 28 Oct 2021 20:33:22 +0000
elettrino via Bug reports for the GNU Bourne Again SHell <bug-bash@gnu.org>
wrote:
> The following shows an example of bash testing a quoted string and as a
> result executing a command embedded in the string.
>
> Here I used the command "id" to stand as an example of a command. The output
> of id on this machine was as follows:
>
> user@machine:~$ id
> uid=1519(user) gid=1519(user) groups=1519(user),100(users)
> user@machine:~$
>
> So to demonstrate:
>
> user@machine:~$ USER_INPUT='x[$(id>&2)]'
> user@machine:~$ test -v "$USER_INPUT"
> uid=1519(user) gid=1519(user) groups=1519(user),100(users)
> user@machine:~$
>
> This means that if variable USER_INPUT was indeed input from a user, the user
> could execute an arbitrary command.
>
> Also unexpected (and presumably related), bash is expanding the construct
> inside single quote marks:
>
> user@machine:~$ test -v 'x[$(id>&2)]'
> uid=1519(user) gid=1519(user) groups=1519(user),100(users)
> user@machine:~$
>
> user@machine:~$ echo $BASH_VERSION
> 4.4.20(1)-release
> user@machine:~$
>
> I don't know whether this happens with anything other than the -v option with
> test; I have not seen it happen under any other circumstance.
>
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
It is a regrettable consequence of the arithmetical context. See
https://mywiki.wooledge.org/BashProgramming/05#Arithmetic_Expansion for some
other examples. As things stand, your only option is to validate or sanitise
abitrarily specified array indices before proceeding to use them in such a
context.
--
Kerin Millar
Re: Arbitrary command execution from test on a quoted string, Ilkka Virta, 2021/10/29