[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Unexpected code injection with [[ -v ]]
From: |
Chet Ramey |
Subject: |
Re: Unexpected code injection with [[ -v ]] |
Date: |
Tue, 10 Nov 2020 12:12:14 -0500 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.4.0 |
On 11/9/20 6:29 PM, Greg Wooledge wrote:
> bash version 5.0.3(1)-release, Debian package 5.0-4, amd64.
>
> Prompted by a discussion with someone in IRC.
>
> unicorn:~$ key='$(date >&2)'
> unicorn:~$ declare -A aa
> unicorn:~$ aa[$key]=foo
> unicorn:~$ echo "${aa[$key]}"
> foo
> unicorn:~$ [[ -v aa[$key] ]]
> Mon Nov 9 18:17:30 EST 2020
> bash: aa: bad array subscript
> unicorn:~$ [[ -v 'aa[$key]' ]]
> unicorn:~$
>
> It's well-known that handing an unsanitized index to an *indexed* array
> causes code injection when the index is evaluated in a math context, but
> the code injection from -v with an *associative* array is a new one to me.
> It's especially confusing because it doesn't happen with assignments or
> expansions -- just with -v.
When executing the conditional command, each word is expanded once. The
difference between [[ and [ is that the word isn't split, and that's why
you get an error when you try this with test/[. Then the array subscript is
expanded to determine whether or not it's set, as usual.
When you use assignments or expansions, the subscript is expanded once.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~chet/