[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Potential Bash Script Vulnerability
From: |
Robert Elz |
Subject: |
Re: Potential Bash Script Vulnerability |
Date: |
Tue, 09 Apr 2024 09:16:41 +0700 |
Date: Mon, 8 Apr 2024 19:35:02 +0300
From: =?UTF-8?B?T8SfdXo=?= <oguzismailuysal@gmail.com>
Message-ID:
<CAH7i3LrK8Lt1ZQ1MuWs7TAShg8i5UygJp7QGR-=DQXQH2fb3yQ@mail.gmail.com>
| Why not? It works fine with other shells
Sure, it is possible to make a useless program like this ...
| $ cat tst.sh
| cat <<EOF >tst.c
| #include <sys/types.h>
| #include <unistd.h>
| int main(void) {
| lseek(0, 5, SEEK_CUR);
| }
| EOF
But try making that program more realistic, like this:
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
int main(void) {
char buf[8];
fread(buf, sizeof buf, 1, stdin);
}
I made the read be 8 bytes, as I actually ran it as
$SHELL << EOF ; echo Exit $?
echo $SHELL
/tmp/tst/stdio
exit 11
echo WORKS
EOF
so it is possible to see when the "exit 11" happens, and when
the shell just falls off the end of the script.
Nothing I tested printed "WORKS". The shells that had already
read the rest of the script into an internal buffer did "Exit 11"
the ones (presumably) doing 1 byte at a time reads (Ugh!) did Exit 0.
This sharing of stdin with commands run is a Thompson shell "feature"
and it is what here documents were invented in the Bourne shell to
avoid - so the script could contain input to the commands, without
the command needing to access the script itself (which of course
never works if the script is run as any normal script: "$SHELL script")
Almost all real commands use stdio to read stdin. Playing about
any more with this absurd example isn't worth the bother. The relevant
text should simply be deleted from POSIX. It is bizarre and unnecessary.
kre
ps: you can add "bosh" and the (now older) AST ksh93 (AJM 93u+ 2012-08-01)
to the "not works" category. No idea about ksh88, but given the behaviour
of both bosh and the older ksh93, I'd guess perhaps "not work" for it as well.
Your tst program also doesn't work if run as
cat <<EOF | $SHELL
[...]
EOF
obviously...
And last, while bash2 always (in your sense) worked for me, bash 5.1 and
5.2 did not (some tests worked, some didn't, I have no idea why).
- Re: Potential Bash Script Vulnerability, (continued)
- Re: Potential Bash Script Vulnerability, Kerin Millar, 2024/04/08
- Re: Potential Bash Script Vulnerability, Robert Elz, 2024/04/08
- Re: Potential Bash Script Vulnerability, Greg Wooledge, 2024/04/08
- Re: Potential Bash Script Vulnerability, admin, 2024/04/08
- Re: Potential Bash Script Vulnerability, Greg Wooledge, 2024/04/08
- Re: Potential Bash Script Vulnerability, Andreas Schwab, 2024/04/08
- Re: Potential Bash Script Vulnerability, admin, 2024/04/08
- Message not available
- Re: Potential Bash Script Vulnerability, Oğuz, 2024/04/08
- Message not available
- Re: Potential Bash Script Vulnerability, Robert Elz, 2024/04/08
- Re: Potential Bash Script Vulnerability, Oğuz, 2024/04/08
- Re: Potential Bash Script Vulnerability,
Robert Elz <=
- Re: Potential Bash Script Vulnerability, Oğuz, 2024/04/08
Re: Potential Bash Script Vulnerability, Martin D Kealey, 2024/04/08
Re: Potential Bash Script Vulnerability, Chet Ramey, 2024/04/08