Re: I've found a vulnerability in bash

[Ilkka Virta]

On Fri, Nov 19, 2021 at 12:53 PM Marshall Whittaker <
marshallwhittaker@gmail.com> wrote:

> You could argue that bash should parse filenames globbed from * that start
> with - and exclude them specifically,
>

Or a shell could prepend ./ to all globs relative globs. Not sure if that
would change the behaviour of some
program though.

But you're free to write a shell or a patch to do something like that, and
see if it gets any traction? I know at least
zsh has some features to warn about doing things like rm *, but at least
the version I tried doesn't seem to check
for filenames that look like options.

Though of course there's also the issue that some utilities take as options
things that start with a plus, also. Like
Bash's +O.


> A short whitepaper on it has been made public at:
> https://oxagast.org/posts/bash-wildcard-expansion-arbitrary-command-line-arguments-0day/
> complete with a mini PoC.
>

Given I just linked you two posts about that from 11 years ago, I fail to
see how you could honestly consider that
a "0-day" issue. Not that people falling into a decades-old trap is much
better, actually, so it probably wouldn't be
a bad thing if shells started warning about that.