I think `edit-and-execute-command' shouldn't be allowed under `read -e'. dualbus@debian:~$ cat prompt.sh #!/bin/bash declare -p UID EUID read -p '> ' -e declare -p REPLY
dualbus@debian:~$ id -u 1000 dualbus@debian:~$ sudo ./prompt.sh declare -ir UID="0" declare -ir EUID="0" > id -u 0 > bye declare -- REPLY="bye" The user can protect against this specific problem with: dualbus@debian:~$ cat prompt.sh #!/bin/bash declare -p UID EUID VISUAL=: read -p '> ' -e declare -p REPLY Although I'm not sure. Perhaps it's better to just discourage the use of `read -e' if the input cannot be trusted. Since there are other problems inherent to this approach (enumerate files with glob-expand-word). The particular case where I think this could be a problem is in the situation where a system administrator allows a user to run a specific script (and that script only) with elevated privileges using sudo, and a malicious user abuses `edit-and-execute-command' to workaround the restriction.
