On Mon, 10 Jun 2013, Greg Wooledge wrote:
On Mon, Jun 10, 2013 at 10:23:10AM -0400, Chris F.A. Johnson wrote:
On Mon, 10 Jun 2013, Chris Down wrote:
Enjoy your arbitrary command execution.
Can you give me an example, using the code I posted, where that would
happen?
On 10 Jun 2013 14:15, "Chris F.A. Johnson" <ch...@cfajohnson.com> wrote:
eval "array=( \"\${$1[@]}\" )"
imadev:~$ foobar() { set -x; eval "array=( \"\${$1[@]}\" )"; }
imadev:~$ foobar 'a}"); date; b=("${q'
+ foobar 'a}"); date; b=("${q'
+ set -x
+ eval 'array=( "${a}"); date; b=("${q[@]}" )'
++ array=("${a}")
++ date
Mon Jun 10 10:31:41 EDT 2013
++ b=("${q[@]}")
A really clever attack wouldn't leave those extra variables lying around,
either. I stopped at "working" and didn't spend the extra time for
"clever".
Point taken, but the only way such a string would be passed as a
variable name is if it was given as user input -- which would,
presumably, be sanitized before being used. Programming it literally
makes as much sense as 'rm -rf /'.
--
Chris F.A. Johnson, <http://cfajohnson.com/>
Author:
Pro Bash Programming: Scripting the GNU/Linux Shell (2009, Apress)
Shell Scripting Recipes: A Problem-Solution Approach (2005, Apress)
