[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Arbitrary command execution from test on a quoted string

From: Dale R. Worley
Subject: Re: Arbitrary command execution from test on a quoted string
Date: Tue, 02 Nov 2021 22:18:06 -0400

elettrino via Bug reports for the GNU Bourne Again SHell
<bug-bash@gnu.org> writes:
> The following shows an example of bash testing a quoted string and as
> a result executing a command embedded in the string.
> Here I used the command "id" to stand as an example of a command. The
> output of id on this machine was as follows:
> user@machine:~$ id
> uid=1519(user) gid=1519(user) groups=1519(user),100(users)
> user@machine:~$
> So to demonstrate:
> user@machine:~$ USER_INPUT='x[$(id>&2)]'
> user@machine:~$ test -v "$USER_INPUT"
> uid=1519(user) gid=1519(user) groups=1519(user),100(users)
> user@machine:~$
> This means that if variable USER_INPUT was indeed input from a user,
> the user could execute an arbitrary command.

This is true, but two qualifications should be applied:

1. Executing "test -v" on user input doesn't make sense, as the
variable-name space inside the shell isn't something the user should
interact with.

2. It isn't a security problem, because the user could execute the
command directly.

I leave it to people more steeped in the aracana whether this action by
"test -v" is an irregularity that should be changed.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]