Re: currently doable? Indirect notation used w/a hash

[Chris F.A. Johnson]

On Mon, 10 Jun 2013, Greg Wooledge wrote:

> On Mon, Jun 10, 2013 at 10:23:10AM -0400, Chris F.A. Johnson wrote:
> > On Mon, 10 Jun 2013, Chris Down wrote:
> >
> > > Enjoy your arbitrary command execution.
> >
> >    Can you give me an example, using the code I posted, where that would
> >    happen?
>
> > > On 10 Jun 2013 14:15, "Chris F.A. Johnson" <chris@cfajohnson.com> wrote:
> > > > eval "array=( \"\${$1[@]}\" )"
>
> imadev:~$ foobar() { set -x; eval "array=( \"\${$1[@]}\" )"; }
> imadev:~$ foobar 'a}"); date; b=("${q'
> + foobar 'a}"); date; b=("${q'
> + set -x
> + eval 'array=( "${a}"); date; b=("${q[@]}" )'
> ++ array=("${a}")
> ++ date
> Mon Jun 10 10:31:41 EDT 2013
> ++ b=("${q[@]}")
>
> A really clever attack wouldn't leave those extra variables lying around,
> either.  I stopped at "working" and didn't spend the extra time for
> "clever".

  Point taken, but the only way such a string would be passed as a
  variable name is if it was given as user input -- which would,
  presumably, be sanitized before being used. Programming it literally
  makes as much sense as 'rm -rf /'.

--
   Chris F.A. Johnson, <http://cfajohnson.com/>
   Author:
   Pro Bash Programming: Scripting the GNU/Linux Shell (2009, Apress)
   Shell Scripting Recipes: A Problem-Solution Approach (2005, Apress)