[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Arithmetic + array allows for code injection
From: |
Pierre Gaston |
Subject: |
Re: Arithmetic + array allows for code injection |
Date: |
Fri, 30 May 2014 21:12:18 +0300 |
On Fri, May 30, 2014 at 9:08 PM, Greg Wooledge <wooledg@eeg.ccf.org> wrote:
> On Fri, May 30, 2014 at 08:57:42PM +0300, Pierre Gaston wrote:
> > It doesn't seem right for code looking as innocent as $((a[$i])) or
> > $((a["$i"])) to allow running arbitrary commands for some value of i,
> that
> > are no even that clever:
> >
> > $ i='$( echo >&2 an arbitrary command )';: $((a["$i"]))
> > an arbitrary command
> >
> > $ i='"$( echo >&2 an arbitrary command)"';: $((a[$i]))
> > an arbitrary command
>
> A workaround is to avoid the explicit $i inside the square brackets:
>
> imadev:~$ i='$(date)'; : $((a[$i]))
> bash: Fri May 30 14:05:34 EDT 2014: syntax error in expression (error
> token is "May 30 14:05:34 EDT 2014")
> imadev:~$ i='$(date)'; : $((a[i]))
> bash: $(date): syntax error: operand expected (error token is "$(date)")
>
> I don't dispute the need to fix it, though.
>
Right, in fact when this bug was found when playing with associative arrays
where this workaround is not possible, with declare -A a you can use
$((${a["$i"]}))