[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Arithmetic + array allows for code injection
|
From: |
Greg Wooledge |
|
Subject: |
Re: Arithmetic + array allows for code injection |
|
Date: |
Mon, 2 Jun 2014 09:34:28 -0400 |
|
User-agent: |
Mutt/1.4.2.3i |
On Mon, Jun 02, 2014 at 03:08:17PM +0200, Andreas Schwab wrote:
> Greg Wooledge <wooledg@eeg.ccf.org> writes:
>
> > imadev:~$ : $((a[$x]))
> > bash: Mon Jun 2 08:06:39 EDT 2014: syntax error in expression (error token
> > is "Jun 2 08:06:39 EDT 2014")
> >
> > There's the code-injection problem that started the thread.
>
> Here the index is '$(date)'.
>
> *Note (bash) Arithmetic Expansion:: ... All tokens in the expression
> undergo parameter and variable expansion, command substitution, and
> quote removal. The result is treated as the arithmetic expression to be
> evaluated.
Ah. And this is copied almost verbatim from POSIX:
http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_06_04
$((expression))
The expression shall be treated as if it were in double-quotes, except that a
double-quote inside the expression is not treated specially. The shell shall
expand all tokens in the expression for parameter expansion, command
substitution, and quote removal.
So the reason it acts this way is because POSIX said so. Now it starts
to make sense!
(One could argue that POSIX's wording doesn't require the command
substitution be done in a second pass AFTER the parameter expansion.
But apparently it has been interpreted this way.)