bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Execution of code by address@hidden


From: Chet Ramey
Subject: Re: Execution of code by address@hidden
Date: Mon, 14 Nov 2016 17:23:42 -0500
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.4.0

On 11/14/16 1:37 PM, Clint Hepner wrote:

> Bash Version: 4.4
> Patch Level: 0
> Release Status: release
> 
> Description:
> 
>      address@hidden expansion allows arbitrary code to run. This might
>      be intentional, as it is how prompt strings work, but it
>      does feel like an understated security risk.
> 
> 
> Repeat-By:
> 
>      $ foo='$(echo hello)'
>      $ echo "${foo}"
>      $(echo hello)
>      $ echo "address@hidden"
>      hello
> 
> 
> 
> Fix:
>         The man page might explicitly state that command substitutions
>         in the value of the expanded parameter will be executed.

The question is how many different places you want to have the same
information.  The description of @P already contains a pointer to the
PROMPTING section, which explicitly lists command substitution as one
of the expansions prompt strings undergo.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    address@hidden    http://cnswww.cns.cwru.edu/~chet/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]