[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Unexpected code injection with [[ -v ]]

From: Greg Wooledge
Subject: Unexpected code injection with [[ -v ]]
Date: Mon, 9 Nov 2020 18:29:42 -0500
User-agent: Mutt/1.10.1 (2018-07-13)

bash version 5.0.3(1)-release, Debian package 5.0-4, amd64.

Prompted by a discussion with someone in IRC.

unicorn:~$ key='$(date >&2)'
unicorn:~$ declare -A aa
unicorn:~$ aa[$key]=foo
unicorn:~$ echo "${aa[$key]}"
unicorn:~$ [[ -v aa[$key] ]]
Mon Nov  9 18:17:30 EST 2020
bash: aa: bad array subscript
unicorn:~$ [[ -v 'aa[$key]' ]]

It's well-known that handing an unsanitized index to an *indexed* array
causes code injection when the index is evaluated in a math context, but
the code injection from -v with an *associative* array is a new one to me.
It's especially confusing because it doesn't happen with assignments or
expansions -- just with -v.

It seems single-quoting the array name + square brackets + key "works" to
avoid the code injection, but it's not clear to me why that's needed.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]