Re: I've found a vulnerability in bash

[Marshall Whittaker]

You could argue that bash should parse filenames globbed from * that start
with - and exclude them specifically, so I'll have to respectfully
disagree.  Also, it is not the programs doing the parsing of *, that is a
function of bash.  Try typing * in just your terminal/command line and see
what happens.
A short whitepaper on it has been made public at:
https://oxagast.org/posts/bash-wildcard-expansion-arbitrary-command-line-arguments-0day/
complete with a mini PoC.

On Wed, Nov 17, 2021 at 9:04 AM Chet Ramey <chet.ramey@case.edu> wrote:

> On 11/17/21 4:16 AM, Marshall Whittaker wrote:
>
> > This shouldn't happen beacuse you can drop a file and then redirect
> > other code for example calling a script if you only have access to drop
> > a file.  Say a cronjob was running every hour, and it did rm * on some
> > folder, by expansion, you could expand it to -riv or whatever you
> > wanted and redirect program flow from there.
>
> That's just bad scripting.
>
> --
> ``The lyf so short, the craft so long to lerne.'' - Chaucer
>                  ``Ars longa, vita brevis'' - Hippocrates
> Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/
>