2014-12-07 19:34:53 -0800, Linda Walsh:
[...]
> Stephane Chazelas wrote:
> > declare -l a="$external_input"
> >
> >he's entitled to expect $a to contain the lower case version of
> >$external_input whatever $external_input contain.
> ---
> Only if you properly quote "external input".
>
> If you properly quote the external input I don't see the problem:
>
> Does this example demonstrate your setup?
>
> >declare -a a=(1 2 3)
> >b='($(echo FOO))'
> >printf -v qb "%q" "$b" # here must quote the raw 'external input' string
> >declare -l a=$qb # redefining 'a' to be lower case
> >read c <<<$a # read the quoted value printf "%s\n"
> >"$c"
> ($(echo foo)) # no execution -- just the case lowering you want
>
> Am I missing something?
I think you're missing my point.
I'm saying that if a script writer writes:
declare a="$b"
intending to declare the *scalar* varible "$a" as a copy of the
scalar variable "$b" (and remember that in ksh/bash, scalar
variables and arrays are not very differentiated, $a being
${a[0]}), and overlooked (or is not aware of (because that was
done by 3rd party code for instance)) the fact that the variable
was used as an array before (for instance because he used
a[0]=foo instead of a=foo for instance), then:
- it will work in most of the cases (and that's one aspect why
it's dangerous, because it's hard to detect).
- but you've got a code injection vulnerability (in the very
special case where $b starts with "(".
- for no good reason. See ksh for a better syntax that doesn't
have the issue.
- and it's not consistent when the same assignment is done
without "declare" (and no, I don't agree "declare" is a mere
builtin as it's already parsed halfway between a builtin and an
assignment).
Now, if the script writer intends to make the *array* variable $a
a copy (well potentially changing the indices) of $b, he would
simply write:
declare -la a=("${b[@]}")
I certainly don't expect him to have to resort to `printf %q`
here for that.
--
Stephane
