bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash


From: Chet Ramey
Subject: Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey)
Date: Mon, 13 Oct 2014 09:02:38 -0400
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0

On 10/10/14, 10:55 AM, Stephane Chazelas wrote:
> 2014-10-10 10:17:40 -0400, Chet Ramey:
> [...]
>>> bash -c '(( XDG_VTNR < 7 ))
>>>
>>> That allows arbitrary code execution (and can't easily be
>>> fixed without breaking backward compatibility).
>>>
>>> Try with "export XDG_VTNR='a[$(echo>&2 vulnerable)]'".
>>
>> Sure, and that's documented, intended, and not unique.
> [...]
> 
> Is it really intended and documented that cmdsubst be performed
> there?

Yes, all of the word expansions are performed on an array subscript.

> 
> AFAICT, it's not useful and not consistent.
> 
> a='$(echo 1+1)' bash -c 'echo $((a))'
> 
> Doesn't work. So why would these work
> 
> a='b[$(echo 1+1)]' bash -c 'echo $((a))
> Or
> a='$(echo 1+1)' bash -c 'echo $((b[a]))'
> 
> then? Where is it documented that variable, arithmetic, command, tilde and
> process substitution are performed in array subscripts in indirectly
> evaluated arithmetic expressions?

You have to put it together.  A variable need not be expanded before
arithmetic evaluation, so the evaluator expands, for instance, a bare
`a' to `b[$(echo 1+1)]'.  When a variable is expanded, its value is
treated as an expression to be evaluated.  An array subscript -- for an
indexed array -- is an arithmetic expression.  All tokens in an arithmetic
expression, including an array subscript, undergo variable expansion, word
splitting, and quote removal.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    address@hidden    http://cnswww.cns.cwru.edu/~chet/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]