bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Execution of code by address@hidden


From: Clint Hepner
Subject: Execution of code by address@hidden
Date: Mon, 14 Nov 2016 13:37:35 -0500

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: darwin16.0.0
Compiler: clang
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' 
-DCONF_OSTYPE='darwin16.0.0' -DCONF_MACHTYPE='x86_64-apple-darwin16.0.0' 
-DCONF_VENDOR='apple' -DLOCALEDIR='/usr/local/Cellar/bash/4.4_1/share/locale' 
-DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H -DMACOSX   -I.  -I. -I./include 
-I./lib -I./lib/intl 
-I/private/tmp/bash-20160928-76620-1cvsdye/bash-4.4/lib/intl  
-DSSH_SOURCE_BASHRC -Wno-parentheses -Wno-format-security
uname output: Darwin 192.168.1.21 16.1.0 Darwin Kernel Version 16.1.0: Thu Oct 
13 21:26:57 PDT 2016; root:xnu-3789.21.3~60/RELEASE_X86_64 x86_64
Machine Type: x86_64-apple-darwin16.0.0

Bash Version: 4.4
Patch Level: 0
Release Status: release

Description:

     address@hidden expansion allows arbitrary code to run. This might
     be intentional, as it is how prompt strings work, but it
     does feel like an understated security risk.


Repeat-By:

     $ foo='$(echo hello)'
     $ echo "${foo}"
     $(echo hello)
     $ echo "address@hidden"
     hello



Fix:
        The man page might explicitly state that command substitutions
        in the value of the expanded parameter will be executed.

        This also suggests one or more additional operators that perform
        things like parameter expansion, pathname expansions, etc.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]