On 6/4/19 3:26 PM, Ilkka Virta wrote:
> On 4.6. 16:24, Greg Wooledge wrote:
>> On Tue, Jun 04, 2019 at 01:42:40PM +0200, Nils Emmerich wrote:
>>> Bash Version: 5.0
>>> Patch Level: 0
>>> Release Status: release
>>>
>>> Description:
>>> It is possible to get code execution via a user supplied
>>> variable in
>>> the mathematical context.
>
>> For example: (( 'a[i]++' )) or let 'a[i]++'
>
>> Without quotes in the former, something bad happens, but I can't remember
>> the details off the top of my head.
>
> If the bad user supplied variable contains array indexing in itself, e.g.
> bad='none[$(date >&2)]' then using it in an arithmetic expansion still
> executes the 'date', single quotes or not (the array doesn't need to exist):
Because the value is treated as an expression, not an integer constant.
> Same here, of course:
>
> $ (( bad ))
> Tue Jun 4 22:04:29 EEST 2019
> $ (( 'bad' ))
> Tue Jun 4 22:04:32 EEST 2019
Quoting a string doesn't make it a non-identifier in this context.
>
> So, it doesn't seem the single-quotes help. They do seem to break the whole
> expression within "$(( ))", though:
>
> $ echo "$(( 'a[2]' ))"
> bash: 'a[2]' : syntax error: operand expected (error token is "'a[2]' ")
The expression between the parens is treated as if it were within double
quotes, where single quotes are not special.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU c...@case.edu http://tiswww.cwru.edu/~chet/
