[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash
From: |
Stephane Chazelas |
Subject: |
Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey) |
Date: |
Fri, 10 Oct 2014 15:55:47 +0100 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
2014-10-10 10:17:40 -0400, Chet Ramey:
[...]
> > bash -c '(( XDG_VTNR < 7 ))
> >
> > That allows arbitrary code execution (and can't easily be
> > fixed without breaking backward compatibility).
> >
> > Try with "export XDG_VTNR='a[$(echo>&2 vulnerable)]'".
>
> Sure, and that's documented, intended, and not unique.
[...]
Is it really intended and documented that cmdsubst be performed
there?
AFAICT, it's not useful and not consistent.
a='$(echo 1+1)' bash -c 'echo $((a))'
Doesn't work. So why would these work
a='b[$(echo 1+1)]' bash -c 'echo $((a))
Or
a='$(echo 1+1)' bash -c 'echo $((b[a]))'
then? Where is it documented that variable, arithmetic, command, tilde and
process substitution are performed in array subscripts in indirectly
evaluated arithmetic expressions?
I can accept:
echo $((a[$(echo 1+1)]))
or:
a[$(echo 1+1)]=2
being accepted intentionaly.
But I can't see why the content of a variable should be
interpreted as anything else than an arithmetic expression just
because it's in an array subscript.
--
Stephane
- re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Rick Karcich (rkarcich), 2014/10/09
- Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Eduardo A . Bustamante López, 2014/10/09
- Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Pádraig Brady, 2014/10/09
- Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Chet Ramey, 2014/10/09
- Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Chet Ramey, 2014/10/13
- expansions upon arithmetic evaluation in array subscripts, Stephane Chazelas, 2014/10/13
- Re: expansions upon arithmetic evaluation in array subscripts, Chet Ramey, 2014/10/14
- Re: expansions upon arithmetic evaluation in array subscripts, Linda Walsh, 2014/10/14
- Re: expansions upon arithmetic evaluation in array subscripts, Chet Ramey, 2014/10/14
Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Chet Ramey, 2014/10/09