bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Arbitrary command execution from test on a quoted string

From: Léa Gris
Subject: Re: Arbitrary command execution from test on a quoted string
Date: Fri, 29 Oct 2021 07:37:13 +0200
User-agent: Telnet/1.0 [tlh] (PDP11/DEC) 
Le 29/10/2021 à 00:29, Greg Wooledge écrivait :

On Thu, Oct 28, 2021 at 08:33:22PM +0000, elettrino via Bug reports for the GNU 
Bourne Again SHell wrote:


user@machine:~$ USER_INPUT='x[$(id>&2)]'
user@machine:~$ test -v "$USER_INPUT"
uid=1519(user) gid=1519(user) groups=1519(user),100(users)
user@machine:~$


Whoo.  This uses a feature that was introduced in bash 4.2.  It doesn't
cause code injection in bash 4.2, though.  It *does* cause code injection
in bash 4.3 through 5.1.

Adding it to my wiki page.



A safe way to replace:
test -v "$USER_INPUT"

Would be:
test "${USER_INPUT@Q}"

But it is not backward-compatible with older bash versions.

Alternatively:
declare -p USER_INPUT >/dev/null 2>&1

will work with much older bash versions


Any other way witch are less bulky and or more backward compatible?

--
Léa Gris
reply via email to
[Prev in Thread] Current Thread [Next in Thread]