[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Code Execution in Mathematical Context

From: Nils Emmerich
Subject: Re: Code Execution in Mathematical Context
Date: Tue, 4 Jun 2019 16:39:51 +0200
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0

If you run
echo "$((v))"
and v is a user supplied variable.
If the user put a specific string in v, he can execute whatever he wants in the name of the script, because echo "$((v))" will run that code.

Am 6/4/2019 um 4:29 PM schrieb Chet Ramey:
On 6/4/19 7:42 AM, Nils Emmerich wrote:

Bash Version: 5.0
Patch Level: 0
Release Status: release

         It is possible to get code execution via a user supplied variable
in the mathematical context.
         I don't know if this is considered a bug or not, but if not, I
think people should be made aware that the mathematical context is unsafe.
The tokens in a mathematical expression undergo a set of word expansions.
If you could post the example you're using we can analyze its behavior.

Nils Emmerich

ERNW Research GmbH
Carl-Bosch-Str. 4
69115 Heidelberg
Tel. +49 6221 480390 (Sekretariat)
Handelsregister Mannheim HRB 723285
Geschäftsführer: Dr.-Ing. Andreas Dewald

Blog: www.insinuator.net
Conference: www.troopers.de

reply via email to

[Prev in Thread] Current Thread [Next in Thread]