Re: Bug on function.

[Kelvin Tan Thiam Teck]

dumbass@Lucifer:~$ ./report.sh 'echo' 1 2 3 4 5 6 7 8 9 10
param 1  : echo
param 2  : 1
param 3  : 2
param 4  : 3
param 5  : 4
param 6  : 5
param 7  : 6
param 8  : 7
param 9  : 8
param 10  : echo0
param 11  : echo1
param 12  : echo2
param 13  : echo3
param 14  : echo4
param 15  : echo5
param 16  : echo6
param 17  : echo7
param 18  : echo8
param 19  : echo9
param 20  : 10
param 21  : 11
param 22  : 12
param 23  : 13
param 24  : 14
param 25  : 15
param 26  : 16
param 27  : 17
param 28  : 18
param 29  : 19
param 30  : 20
param 31  : 21
param 32  : 22
param 33  : 23
param 34  : 24
param 35  : 25
param 36  : 26
param 37  : 27
param 38  : 28
param 39  : 29
param 40  : 30

On Tue, Dec 8, 2015 at 4:15 PM, Kelvin Tan Thiam Teck <kelvintx3@gmail.com> wrote:

eh thanks, listed them to show that my param from 10th to 18 is affected, instead of 18th param only.

On Tue, Dec 8, 2015 at 4:13 PM, Pierre Gaston <pierre.gaston@gmail.com> wrote:

On Tue, Dec 8, 2015 at 9:58 AM, Kelvin Tan Thiam Teck <kelvintx3@gmail.com> wrote:

dumbass@Lucifer:~$ ./report.sh "echo ln -s /sbin/halt; mv halt ;reboot8 ; reboot" AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
Before Passing Thru Function: echo ln -s /sbin/halt; mv halt ;reboot8 ; reboot AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
reboot: Need to be root
9th:
10th: echo0
11th: echo1
12th: echo2
13th: echo3
14th: echo4
15th: echo5
16th: echo6
17th: echo7
./report.sh: line 29: echo8: command not found
19th: echo9
20th: ln0
dumbass@Lucifer:~$

I think you misunderstand me, I'm not denying that you inject some code. What I'm saying is that the bug is in your code.

Here is a simpler way to reproduce:

 cat inject
#!/bin/bash
function foo {
  "$2"
}

foo $*
$ ./inject "blah date"
Tue Dec  8 10:08:45 EET 2015

You can see that "date" is executed, but it's a bug in the script, $* is split in 2 as it is supposed to and foo receives 2 arguments.

you can fix the bug using "$@"
$ vi inject
$ cat inject
#!/bin/bash
function foo {
  "$2"
}

foo "$@"
$ ./inject "blah date"
./inject: line 3: : command not found

Now the arguments are not split again and foo receives only one argument, hence the error.

As I said, there are many pitfalls in shellscript that's why allowing running a script with more privilege than the user have is dangerous.