Re: I've found a vulnerability in bash

[Kerin Millar]

(Copying the list back in ...)

On Fri, 19 Nov 2021 17:37:54 +0100
Andreas Kusalananda Kähäri <andreas.kahari@abc.se> wrote:

> On Fri, Nov 19, 2021 at 03:56:21PM +0000, Kerin Millar wrote:
> > On Fri, 19 Nov 2021 10:05:39 -0500
> > Marshall Whittaker <marshallwhittaker@gmail.com> wrote:
> > 
> > > Fair. I'm not saying anyone has to change it, but I will call out what I
> > > think is a design flaw.  But this is going to turn into some philosophical
> > > discussion as to whether it should have been done this way from the start.
> > > That I don't know, and hold no responsibility for, as I'm not a bash dev,
> > > I'm an exploit dev.  Maybe an asshole too.
> > 
> > You appear to be missing the implication; it has nothing in particular to 
> > do with bash. Consider the following Perl program. At no point is a shell 
> > involved.
> 
> I believe system() in Perl may well invoke sh -c depending on the
> arguments given.  See "perldoc -f system".

Yes, but there would need to be "one scalar argument".

> > @args = glob('*');
> > system('rm', '-f', @args); # bad

At least two arguments are given there. Granted, the win32 port is an outlier 
but the sample clearly isn't intended for it.

-- 
Kerin Millar