bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Arithmetic + array allows for code injection


From: Pierre Gaston
Subject: Re: Arithmetic + array allows for code injection
Date: Fri, 30 May 2014 21:12:18 +0300

On Fri, May 30, 2014 at 9:08 PM, Greg Wooledge <address@hidden> wrote:

> On Fri, May 30, 2014 at 08:57:42PM +0300, Pierre Gaston wrote:
> > It doesn't seem right for code looking as innocent as $((a[$i])) or
> > $((a["$i"])) to allow running arbitrary commands for some value of i,
> that
> > are no even that clever:
> >
> > $ i='$( echo >&2 an arbitrary command )';:  $((a["$i"]))
> > an arbitrary command
> >
> > $ i='"$( echo >&2 an arbitrary command)"';: $((a[$i]))
> > an arbitrary command
>
> A workaround is to avoid the explicit $i inside the square brackets:
>
> imadev:~$ i='$(date)'; : $((a[$i]))
> bash: Fri May 30 14:05:34 EDT 2014: syntax error in expression (error
> token is "May 30 14:05:34 EDT 2014")
> imadev:~$ i='$(date)'; : $((a[i]))
> bash: $(date): syntax error: operand expected (error token is "$(date)")
>
> I don't dispute the need to fix it, though.
>

Right, in fact when this bug was found when playing with associative arrays
where this workaround is not possible, with declare -A a  you can use
$((${a["$i"]}))


reply via email to

[Prev in Thread] Current Thread [Next in Thread]