[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Unexpected code injection with [[ -v ]]
From: |
Greg Wooledge |
Subject: |
Unexpected code injection with [[ -v ]] |
Date: |
Mon, 9 Nov 2020 18:29:42 -0500 |
User-agent: |
Mutt/1.10.1 (2018-07-13) |
bash version 5.0.3(1)-release, Debian package 5.0-4, amd64.
Prompted by a discussion with someone in IRC.
unicorn:~$ key='$(date >&2)'
unicorn:~$ declare -A aa
unicorn:~$ aa[$key]=foo
unicorn:~$ echo "${aa[$key]}"
foo
unicorn:~$ [[ -v aa[$key] ]]
Mon Nov 9 18:17:30 EST 2020
bash: aa: bad array subscript
unicorn:~$ [[ -v 'aa[$key]' ]]
unicorn:~$
It's well-known that handing an unsanitized index to an *indexed* array
causes code injection when the index is evaluated in a math context, but
the code injection from -v with an *associative* array is a new one to me.
It's especially confusing because it doesn't happen with assignments or
expansions -- just with -v.
It seems single-quoting the array name + square brackets + key "works" to
avoid the code injection, but it's not clear to me why that's needed.
- Unexpected code injection with [[ -v ]],
Greg Wooledge <=