2014-10-10 10:17:40 -0400, Chet Ramey: [...] > > bash -c '(( XDG_VTNR < 7 )) > > > > That allows arbitrary code execution (and can't easily be > > fixed without breaking backward compatibility). > > > > Try with "export XDG_VTNR='a[$(echo>&2 vulnerable)]'". > > Sure, and that's documented, intended, and not unique. [...]
Is it really intended and documented that cmdsubst be performed there? AFAICT, it's not useful and not consistent. a='$(echo 1+1)' bash -c 'echo $((a))' Doesn't work. So why would these work a='b[$(echo 1+1)]' bash -c 'echo $((a)) Or a='$(echo 1+1)' bash -c 'echo $((b[a]))' then? Where is it documented that variable, arithmetic, command, tilde and process substitution are performed in array subscripts in indirectly evaluated arithmetic expressions? I can accept: echo $((a[$(echo 1+1)])) or: a[$(echo 1+1)]=2 being accepted intentionaly. But I can't see why the content of a variable should be interpreted as anything else than an arithmetic expression just because it's in an array subscript. -- Stephane
