Re: Arithmetic + array allows for code injection

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Arithmetic + array allows for code injection

From:	Greg Wooledge
Subject:	Re: Arithmetic + array allows for code injection
Date:	Fri, 30 May 2014 14:08:14 -0400
User-agent:	Mutt/1.4.2.3i

On Fri, May 30, 2014 at 08:57:42PM +0300, Pierre Gaston wrote:
> It doesn't seem right for code looking as innocent as $((a[$i])) or
> $((a["$i"])) to allow running arbitrary commands for some value of i, that
> are no even that clever:
> 
> $ i='$( echo >&2 an arbitrary command )';:  $((a["$i"]))
> an arbitrary command
> 
> $ i='"$( echo >&2 an arbitrary command)"';: $((a[$i]))
> an arbitrary command

A workaround is to avoid the explicit $i inside the square brackets:

imadev:~$ i='$(date)'; : $((a[$i]))
bash: Fri May 30 14:05:34 EDT 2014: syntax error in expression (error token is 
"May 30 14:05:34 EDT 2014")
imadev:~$ i='$(date)'; : $((a[i]))
bash: $(date): syntax error: operand expected (error token is "$(date)")

I don't dispute the need to fix it, though.

[Prev in Thread]

Current Thread

[Next in Thread]

Arithmetic + array allows for code injection, Pierre Gaston, 2014/05/30
- Re: Arithmetic + array allows for code injection, Greg Wooledge <=
  - Re: Arithmetic + array allows for code injection, Pierre Gaston, 2014/05/30
- Re: Arithmetic + array allows for code injection, Dan Douglas, 2014/05/30

Prev by Date: Arithmetic + array allows for code injection
Next by Date: Re: Arithmetic + array allows for code injection
Previous by thread: Arithmetic + array allows for code injection
Next by thread: Re: Arithmetic + array allows for code injection
Index(es):
- Date
- Thread