[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Arbitrary command execution from test on a quoted string
From: |
Greg Wooledge |
Subject: |
Re: Arbitrary command execution from test on a quoted string |
Date: |
Thu, 28 Oct 2021 18:29:28 -0400 |
On Thu, Oct 28, 2021 at 08:33:22PM +0000, elettrino via Bug reports for the GNU
Bourne Again SHell wrote:
>
> user@machine:~$ USER_INPUT='x[$(id>&2)]'
> user@machine:~$ test -v "$USER_INPUT"
> uid=1519(user) gid=1519(user) groups=1519(user),100(users)
> user@machine:~$
Whoo. This uses a feature that was introduced in bash 4.2. It doesn't
cause code injection in bash 4.2, though. It *does* cause code injection
in bash 4.3 through 5.1.
Adding it to my wiki page.
Re: Arbitrary command execution from test on a quoted string, Ilkka Virta, 2021/10/29