|
From: | Léa Gris |
Subject: | Re: Arbitrary command execution from test on a quoted string |
Date: | Fri, 29 Oct 2021 07:37:13 +0200 |
User-agent: | Telnet/1.0 [tlh] (PDP11/DEC) |
Le 29/10/2021 à 00:29, Greg Wooledge écrivait :
On Thu, Oct 28, 2021 at 08:33:22PM +0000, elettrino via Bug reports for the GNU Bourne Again SHell wrote:user@machine:~$ USER_INPUT='x[$(id>&2)]' user@machine:~$ test -v "$USER_INPUT" uid=1519(user) gid=1519(user) groups=1519(user),100(users) user@machine:~$Whoo. This uses a feature that was introduced in bash 4.2. It doesn't cause code injection in bash 4.2, though. It *does* cause code injection in bash 4.3 through 5.1. Adding it to my wiki page.
A safe way to replace: test -v "$USER_INPUT" Would be: test "${USER_INPUT@Q}" But it is not backward-compatible with older bash versions. Alternatively: declare -p USER_INPUT >/dev/null 2>&1 will work with much older bash versions Any other way witch are less bulky and or more backward compatible? -- Léa Gris
[Prev in Thread] | Current Thread | [Next in Thread] |