[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Arbitrary command execution from test on a quoted string
From: |
Dale R. Worley |
Subject: |
Re: Arbitrary command execution from test on a quoted string |
Date: |
Tue, 02 Nov 2021 22:18:06 -0400 |
elettrino via Bug reports for the GNU Bourne Again SHell
<bug-bash@gnu.org> writes:
> The following shows an example of bash testing a quoted string and as
> a result executing a command embedded in the string.
>
> Here I used the command "id" to stand as an example of a command. The
> output of id on this machine was as follows:
>
> user@machine:~$ id
> uid=1519(user) gid=1519(user) groups=1519(user),100(users)
> user@machine:~$
>
> So to demonstrate:
>
> user@machine:~$ USER_INPUT='x[$(id>&2)]'
> user@machine:~$ test -v "$USER_INPUT"
> uid=1519(user) gid=1519(user) groups=1519(user),100(users)
> user@machine:~$
>
> This means that if variable USER_INPUT was indeed input from a user,
> the user could execute an arbitrary command.
This is true, but two qualifications should be applied:
1. Executing "test -v" on user input doesn't make sense, as the
variable-name space inside the shell isn't something the user should
interact with.
2. It isn't a security problem, because the user could execute the
command directly.
I leave it to people more steeped in the aracana whether this action by
"test -v" is an irregularity that should be changed.
Dale
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Arbitrary command execution from test on a quoted string,
Dale R. Worley <=