bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Arbitrary command execution from test on a quoted string


From: Ilkka Virta
Subject: Re: Arbitrary command execution from test on a quoted string
Date: Fri, 29 Oct 2021 12:48:57 +0300

On Fri, Oct 29, 2021 at 1:01 AM elettrino via Bug reports for the GNU
Bourne Again SHell <bug-bash@gnu.org> wrote:

> user@machine:~$ USER_INPUT='x[$(id>&2)]'
> user@machine:~$ test -v "$USER_INPUT"
> uid=1519(user) gid=1519(user) groups=1519(user),100(users)
>

What you're doing here, is having the user name a variable, and then
testing if that variable is set.
I'm not sure if that makes much sense. The user probably doesn't and
shouldn't need to know the names
of the variables used by the script.

It might make more sense to use USER_INPUT as an index to an associative
array that was filled with
some relevant entries and the user was to pick one. But you still get to
watch the quoting:

$ declare -A values=([foo]=123 [bar]=345)
$ USER_INPUT='x[$(id>&2)]'; test -v 'values[$USER_INPUT]' && echo yes ||
echo no
no
$ USER_INPUT='foo'; test -v 'values[$USER_INPUT]' && echo yes || echo no
yes

(or do the same with [ "${values[$USER_INPUT]+set}" = set ] )

but

$ USER_INPUT='x[$(id>&2)]'; test -v "values[$USER_INPUT]" && echo yes ||
echo no
uid=1000(itvirta) gid=1000(itvirta) ...
no

Not that I'm sure the upper one is still safe against every input. I think
issues with associative array keys have been
discussed on the list before.

I don't know whether this happens with anything other than the -v option
> with test; I have not seen it happen under any other circumstance.
>

Arithmetic expansion is the classic one. Here, we expect the user to give
some number and then do arithmetic on it:

USER_INPUT='x[$(id>&2)]'
a=$(( USER_INPUT + 1 ))     # or even:
if (( USER_INPUT <= 0 )); then echo invalid input; fi

You have to sanitize the inputs, case $USER_INPUT in *[!0-9]*) echo error
>&2; exit 1 ;; esac or something like that for the numbers.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]