[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Execution of code by ${...@P}
From: |
Chet Ramey |
Subject: |
Re: Execution of code by ${...@P} |
Date: |
Mon, 14 Nov 2016 17:23:42 -0500 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 |
On 11/14/16 1:37 PM, Clint Hepner wrote:
> Bash Version: 4.4
> Patch Level: 0
> Release Status: release
>
> Description:
>
> ${...@P} expansion allows arbitrary code to run. This might
> be intentional, as it is how prompt strings work, but it
> does feel like an understated security risk.
>
>
> Repeat-By:
>
> $ foo='$(echo hello)'
> $ echo "${foo}"
> $(echo hello)
> $ echo "${foo@P}"
> hello
>
>
>
> Fix:
> The man page might explicitly state that command substitutions
> in the value of the expanded parameter will be executed.
The question is how many different places you want to have the same
information. The description of @P already contains a pointer to the
PROMPTING section, which explicitly lists command substitution as one
of the expansions prompt strings undergo.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/