bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Code Execution in Mathematical Context


From: Chet Ramey
Subject: Re: Code Execution in Mathematical Context
Date: Wed, 5 Jun 2019 10:05:35 -0400
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.7.0

On 6/4/19 3:26 PM, Ilkka Virta wrote:
> On 4.6. 16:24, Greg Wooledge wrote:
>> On Tue, Jun 04, 2019 at 01:42:40PM +0200, Nils Emmerich wrote:
>>> Bash Version: 5.0
>>> Patch Level: 0
>>> Release Status: release
>>>
>>> Description:
>>>          It is possible to get code execution via a user supplied
>>> variable in
>>> the mathematical context.
> 
>> For example:  (( 'a[i]++' ))   or   let 'a[i]++'
> 
>> Without quotes in the former, something bad happens, but I can't remember
>> the details off the top of my head.
> 
> If the bad user supplied variable contains array indexing in itself, e.g.
> bad='none[$(date >&2)]' then using it in an arithmetic expansion still
> executes the 'date', single quotes or not (the array doesn't need to exist):

Because the value is treated as an expression, not an integer constant.


> Same here, of course:
> 
>   $ (( bad ))
>   Tue Jun  4 22:04:29 EEST 2019
>   $ (( 'bad' ))
>   Tue Jun  4 22:04:32 EEST 2019

Quoting a string doesn't make it a non-identifier in this context.

> 
> So, it doesn't seem the single-quotes help. They do seem to break the whole
> expression within "$(( ))", though:
> 
>   $ echo "$(( 'a[2]' ))"
>   bash: 'a[2]' : syntax error: operand expected (error token is "'a[2]' ")

The expression between the parens is treated as if it were within double
quotes, where single quotes are not special.


-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    address@hidden    http://tiswww.cwru.edu/~chet/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]