bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Arithmetic + array allows for code injection


From: Greg Wooledge
Subject: Re: Arithmetic + array allows for code injection
Date: Mon, 2 Jun 2014 09:34:28 -0400
User-agent: Mutt/1.4.2.3i

On Mon, Jun 02, 2014 at 03:08:17PM +0200, Andreas Schwab wrote:
> Greg Wooledge <address@hidden> writes:
> 
> > imadev:~$ : $((a[$x]))
> > bash: Mon Jun 2 08:06:39 EDT 2014: syntax error in expression (error token 
> > is "Jun 2 08:06:39 EDT 2014")
> >
> > There's the code-injection problem that started the thread.
> 
> Here the index is '$(date)'.
> 
> *Note (bash) Arithmetic Expansion:: ... All tokens in the expression
> undergo parameter and variable expansion, command substitution, and
> quote removal.  The result is treated as the arithmetic expression to be
> evaluated.

Ah.  And this is copied almost verbatim from POSIX:

http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_06_04

$((expression))

The expression shall be treated as if it were in double-quotes, except that a
double-quote inside the expression is not treated specially. The shell shall
expand all tokens in the expression for parameter expansion, command
substitution, and quote removal.

So the reason it acts this way is because POSIX said so.  Now it starts
to make sense!

(One could argue that POSIX's wording doesn't require the command
substitution be done in a second pass AFTER the parameter expansion.
But apparently it has been interpreted this way.)



reply via email to

[Prev in Thread] Current Thread [Next in Thread]