bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Potential Bash Script Vulnerability


From: Robert Elz
Subject: Re: Potential Bash Script Vulnerability
Date: Tue, 09 Apr 2024 09:16:41 +0700

    Date:        Mon, 8 Apr 2024 19:35:02 +0300
    From:        =?UTF-8?B?T8SfdXo=?= <oguzismailuysal@gmail.com>
    Message-ID:  
<CAH7i3LrK8Lt1ZQ1MuWs7TAShg8i5UygJp7QGR-=DQXQH2fb3yQ@mail.gmail.com>


  | Why not? It works fine with other shells

Sure, it is possible to make a useless program like this ...

  | $ cat tst.sh
  | cat <<EOF >tst.c
  | #include <sys/types.h>
  | #include <unistd.h>
  | int main(void) {
  |         lseek(0, 5, SEEK_CUR);
  | }
  | EOF

But try making that program more realistic, like this:

#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>

int main(void) {
        char buf[8];
        fread(buf, sizeof buf, 1, stdin);
}

I made the read be 8 bytes, as I actually ran it as

$SHELL << EOF ; echo Exit $?
echo $SHELL
/tmp/tst/stdio
exit 11
echo WORKS
EOF

so it is possible to see when the "exit 11" happens, and when
the shell just falls off the end of the script.

Nothing I tested printed "WORKS".  The shells that had already
read the rest of the script into an internal buffer did "Exit 11"
the ones (presumably) doing 1 byte at a time reads (Ugh!) did Exit 0.

This sharing of stdin with commands run is a Thompson shell "feature"
and it is what here documents were invented in the Bourne shell to
avoid - so the script could contain input to the commands, without
the command needing to access the script itself (which of course
never works if the script is run as any normal script: "$SHELL script")

Almost all real commands use stdio to read stdin.   Playing about
any more with this absurd example isn't worth the bother.   The relevant
text should simply be deleted from POSIX.   It is bizarre and unnecessary.

kre

ps: you can add "bosh" and the (now older) AST ksh93 (AJM 93u+ 2012-08-01)
to the "not works" category.   No idea about ksh88, but given the behaviour
of both bosh and the older ksh93, I'd guess perhaps "not work" for it as well.
Your tst program also doesn't work if run as
cat <<EOF | $SHELL
[...]
EOF
obviously...

And last, while bash2 always (in your sense) worked for me, bash 5.1 and
5.2 did not (some tests worked, some didn't, I have no idea why).




reply via email to

[Prev in Thread] Current Thread [Next in Thread]