[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I've found a vulnerability in bash
From: |
Ilkka Virta |
Subject: |
Re: I've found a vulnerability in bash |
Date: |
Fri, 19 Nov 2021 15:03:20 +0200 |
On Fri, Nov 19, 2021 at 12:53 PM Marshall Whittaker <
marshallwhittaker@gmail.com> wrote:
> You could argue that bash should parse filenames globbed from * that start
> with - and exclude them specifically,
>
Or a shell could prepend ./ to all globs relative globs. Not sure if that
would change the behaviour of some
program though.
But you're free to write a shell or a patch to do something like that, and
see if it gets any traction? I know at least
zsh has some features to warn about doing things like rm *, but at least
the version I tried doesn't seem to check
for filenames that look like options.
Though of course there's also the issue that some utilities take as options
things that start with a plus, also. Like
Bash's +O.
> A short whitepaper on it has been made public at:
> https://oxagast.org/posts/bash-wildcard-expansion-arbitrary-command-line-arguments-0day/
> complete with a mini PoC.
>
Given I just linked you two posts about that from 11 years ago, I fail to
see how you could honestly consider that
a "0-day" issue. Not that people falling into a decades-old trap is much
better, actually, so it probably wouldn't be
a bad thing if shells started warning about that.
- Re: I've found a vulnerability in bash, (continued)
- Re: I've found a vulnerability in bash, Marshall Whittaker, 2021/11/19
- Re: I've found a vulnerability in bash, Alex fxmbsw7 Ratchev, 2021/11/19
- Re: I've found a vulnerability in bash, Kerin Millar, 2021/11/19
- Message not available
- Re: I've found a vulnerability in bash, Kerin Millar, 2021/11/19
- Re: I've found a vulnerability in bash, Marshall Whittaker, 2021/11/19
- Re: I've found a vulnerability in bash, Kerin Millar, 2021/11/19
- Re: I've found a vulnerability in bash, Eric Blake, 2021/11/19
- Re: I've found a vulnerability in bash, Kerin Millar, 2021/11/19
- Message not available
- Re: I've found a vulnerability in bash, Kerin Millar, 2021/11/19
- Re: I've found a vulnerability in bash, Robert Elz, 2021/11/19
- Re: I've found a vulnerability in bash,
Ilkka Virta <=
I've found a vulnerability in bash, Marshall Whittaker, 2021/11/17