On Thu, 28 Oct 2021 20:33:22 +0000 elettrino via Bug reports for the GNU Bourne Again SHell <bug-bash@gnu.org> wrote:
> The following shows an example of bash testing a quoted string and as a > result executing a command embedded in the string. > > Here I used the command "id" to stand as an example of a command. The output > of id on this machine was as follows: > > user@machine:~$ id > uid=1519(user) gid=1519(user) groups=1519(user),100(users) > user@machine:~$ > > So to demonstrate: > > user@machine:~$ USER_INPUT='x[$(id>&2)]' > user@machine:~$ test -v "$USER_INPUT" > uid=1519(user) gid=1519(user) groups=1519(user),100(users) > user@machine:~$ > > This means that if variable USER_INPUT was indeed input from a user, the user > could execute an arbitrary command. > > Also unexpected (and presumably related), bash is expanding the construct > inside single quote marks: > > user@machine:~$ test -v 'x[$(id>&2)]' > uid=1519(user) gid=1519(user) groups=1519(user),100(users) > user@machine:~$ > > user@machine:~$ echo $BASH_VERSION > 4.4.20(1)-release > user@machine:~$ > > I don't know whether this happens with anything other than the -v option with > test; I have not seen it happen under any other circumstance. > > Sent with [ProtonMail](https://protonmail.com) Secure Email. It is a regrettable consequence of the arithmetical context. See https://mywiki.wooledge.org/BashProgramming/05#Arithmetic_Expansion for some other examples. As things stand, your only option is to validate or sanitise abitrarily specified array indices before proceeding to use them in such a context. -- Kerin Millar