eh thanks, listed them to show that my param from 10th to 18 is affected,
instead of 18th param only.
On Tue, Dec 8, 2015 at 4:13 PM, Pierre Gaston <pierre.gas...@gmail.com>
wrote:
>
>
> On Tue, Dec 8, 2015 at 9:58 AM, Kelvin Tan Thiam Teck <kelvin...@gmail.com
> > wrote:
>
>> dumbass@Lucifer:~$ ./report.sh "echo ln -s /sbin/halt; mv halt ;reboot8 ;*
>> reboot*" AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
>> AAA AAA AAA AAA
>> Before Passing Thru Function: echo ln -s /sbin/halt; mv halt ;reboot8 ;
>> reboot AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
>> AAA AAA AAA
>> reboot: Need to be root
>> 9th:
>> 10th: echo0
>> 11th: echo1
>> 12th: echo2
>> 13th: echo3
>> 14th: echo4
>> 15th: echo5
>> 16th: echo6
>> 17th: echo7
>> ./report.sh: line 29: echo8: command not found
>> 19th: echo9
>> 20th: ln0
>> dumbass@Lucifer:~$
>>
>
> I think you misunderstand me, I'm not denying that you inject some code.
> What I'm saying is that the bug is in your code.
> Here is a simpler way to reproduce:
>
> cat inject
> #!/bin/bash
> function foo {
> "$2"
> }
>
> foo $*
> $ ./inject "blah date"
> Tue Dec 8 10:08:45 EET 2015
>
> You can see that "date" is executed, but it's a bug in the script, $* is
> split in 2 as it is supposed to and foo receives 2 arguments.
>
> you can fix the bug using "$@"
> $ vi inject
> $ cat inject
> #!/bin/bash
> function foo {
> "$2"
> }
>
> foo "$@"
> $ ./inject "blah date"
> ./inject: line 3: : command not found
>
>
> Now the arguments are not split again and foo receives only one argument,
> hence the error.
>
> As I said, there are many pitfalls in shellscript that's why allowing
> running a script with more privilege than the user have is dangerous.
>
>
>
