On 10/10/2014 08:55 AM, Stephane Chazelas wrote: > But I can't see why the content of a variable should be > interpreted as anything else than an arithmetic expression just > because it's in an array subscript.
For the record, there are vulnerable shell scripts in the wild that fail to sanitize their inputs before passing it through arithmetic expansion, all because MULTIPLE shells (bash, ksh, mksh, zsh) all have the same semantic decision of performing command substitution as part of arithmetic expansion. For example: $ /usr/sbin/fsadm -n resize /dev/sdb '0+x[`id >/dev/tty`]T' demonstrates that fsadm is vulnerable for trying to do $(($1)) without sanitizing $1 first. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
