On 4.6. 16:24, Greg Wooledge wrote:
On Tue, Jun 04, 2019 at 01:42:40PM +0200, Nils Emmerich wrote:
Bash Version: 5.0
Patch Level: 0
Release Status: release
Description:
It is possible to get code execution via a user supplied variable in
the mathematical context.
For example: (( 'a[i]++' )) or let 'a[i]++'
Without quotes in the former, something bad happens, but I can't remember
the details off the top of my head.
If the bad user supplied variable contains array indexing in itself,
e.g. bad='none[$(date >&2)]' then using it in an arithmetic expansion
still executes the 'date', single quotes or not (the array doesn't need
to exist):
$ a=(123 456 789) bad='none[$(date >&2)]'
$ unset none
$ (( a[bad]++ ))
Tue Jun 4 22:00:38 EEST 2019
$ (( 'a[bad]++' ))
Tue Jun 4 22:00:42 EEST 2019
Same here, of course:
$ (( bad ))
Tue Jun 4 22:04:29 EEST 2019
$ (( 'bad' ))
Tue Jun 4 22:04:32 EEST 2019
So, it doesn't seem the single-quotes help. They do seem to break the
whole expression within "$(( ))", though:
$ echo "$(( 'a[2]' ))"
bash: 'a[2]' : syntax error: operand expected (error token is "'a[2]' ")
$ i=2
$ echo "$(( 'a[i]' ))"
bash: 'a[i]' : syntax error: operand expected (error token is "'a[i]' ")
$ echo "$(( 'a[$i]' ))"
bash: 'a[2]' : syntax error: operand expected (error token is "'a[2]' ")
Maybe it would be better to try to sanity-check any user-provided values
first:
$ case $var in *[^0123456789]*) echo "Invalid input" >&2; exit 1;; esac
$ (( a[var]++ )) # safe now?
--
Ilkka Virta / itvi...@iki.fi
