[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Execution of code by ${...@P}
From: |
Clint Hepner |
Subject: |
Execution of code by ${...@P} |
Date: |
Mon, 14 Nov 2016 13:37:35 -0500 |
Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: darwin16.0.0
Compiler: clang
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64'
-DCONF_OSTYPE='darwin16.0.0' -DCONF_MACHTYPE='x86_64-apple-darwin16.0.0'
-DCONF_VENDOR='apple' -DLOCALEDIR='/usr/local/Cellar/bash/4.4_1/share/locale'
-DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H -DMACOSX -I. -I. -I./include
-I./lib -I./lib/intl
-I/private/tmp/bash-20160928-76620-1cvsdye/bash-4.4/lib/intl
-DSSH_SOURCE_BASHRC -Wno-parentheses -Wno-format-security
uname output: Darwin 192.168.1.21 16.1.0 Darwin Kernel Version 16.1.0: Thu Oct
13 21:26:57 PDT 2016; root:xnu-3789.21.3~60/RELEASE_X86_64 x86_64
Machine Type: x86_64-apple-darwin16.0.0
Bash Version: 4.4
Patch Level: 0
Release Status: release
Description:
${...@P} expansion allows arbitrary code to run. This might
be intentional, as it is how prompt strings work, but it
does feel like an understated security risk.
Repeat-By:
$ foo='$(echo hello)'
$ echo "${foo}"
$(echo hello)
$ echo "${foo@P}"
hello
Fix:
The man page might explicitly state that command substitutions
in the value of the expanded parameter will be executed.
This also suggests one or more additional operators that perform
things like parameter expansion, pathname expansions, etc.
- Execution of code by ${...@P},
Clint Hepner <=