bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Associative array keys are not reusable in (( command

From: Chet Ramey
Subject: Re: Associative array keys are not reusable in (( command
Date: Sun, 10 Jan 2021 13:46:48 -0500
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 
On 1/8/21 10:24 AM, Oğuz wrote:
8 Ocak 2021 Cuma tarihinde Chet Ramey <chet.ramey@case.edu <mailto:chet.ramey@case.edu>> yazdı: 

    On 1/8/21 5:20 AM, Oğuz wrote:

        See:

              $ declare -A assoc=($'\n\'' 42)
              $ for key in "${!assoc[@]}"; do (( assoc[$key]++ )); done
              bash: ((: assoc[
              ']++ : bad array subscript (error token is "assoc[
              ']++ ")
              $
              $ (( assoc[${key@Q}]++ ))
              bash: ((: assoc[$'\n\'']++ : bad array subscript (error token is
        "assoc[$'\n\'']++ ")


    This situation is why bash-5.0 introduced the `assoc_expand_once' option.


But it allows arbitrary command injection.

     $ declare -A assoc
     $ key='x],b[$(uname >&2)'
     $ shopt -s assoc_expand_once
     $ (( assoc[$key]++ ))
     Linux


So you have got (( assoc[x],b[$(uname >&2)] )), and the shell does exactly
what you think it does with that.

This is a valid arithmetic expression. The `assoc' is marked as having its
subscript expanded once, since it has. The `b' is not, because it has not.
So when the arithmetic evaluator gets `b[$(uname >&2)]', it expands the
subscript.

The shell could internally quote the subscript, but it doesn't do that
right now.


--
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]