|
From: | Ilkka Virta |
Subject: | Re: Code Execution in Mathematical Context |
Date: | Wed, 5 Jun 2019 20:39:54 +0300 |
User-agent: | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 |
On 5.6. 17:05, Chet Ramey wrote:
On 6/4/19 3:26 PM, Ilkka Virta wrote:If the bad user supplied variable contains array indexing in itself, e.g. bad='none[$(date >&2)]' then using it in an arithmetic expansion still executes the 'date', single quotes or not (the array doesn't need to exist):Because the value is treated as an expression, not an integer constant.
And I suppose that's by design, or just required by the arithmetic expression syntax, right? I think that was part of the original question.
$ (( 'bad' )) Tue Jun 4 22:04:32 EEST 2019Quoting a string doesn't make it a non-identifier in this context.
So is there some other "simple" way of preventing that, then?
$ echo "$(( 'a[2]' ))" bash: 'a[2]' : syntax error: operand expected (error token is "'a[2]' ")The expression between the parens is treated as if it were within double quotes, where single quotes are not special.
I did put the double-quotes around the $((...)), but the same happens even without them. Is this just a difference between ((...)) and $((...)) for some reason?
-- Ilkka Virta / itvirta@iki.fi
[Prev in Thread] | Current Thread | [Next in Thread] |