On 1/8/21 10:24 AM, Oğuz wrote:
8 Ocak 2021 Cuma tarihinde Chet Ramey <chet.ra...@case.edu
<mailto:chet.ra...@case.edu>> yazdı:
On 1/8/21 5:20 AM, Oğuz wrote:
See:
$ declare -A assoc=($'\n\'' 42)
$ for key in "${!assoc[@]}"; do (( assoc[$key]++ )); done
bash: ((: assoc[
']++ : bad array subscript (error token is "assoc[
']++ ")
$
$ (( assoc[${key@Q}]++ ))
bash: ((: assoc[$'\n\'']++ : bad array subscript (error token is
"assoc[$'\n\'']++ ")
This situation is why bash-5.0 introduced the `assoc_expand_once' option.
But it allows arbitrary command injection.
$ declare -A assoc
$ key='x],b[$(uname >&2)'
$ shopt -s assoc_expand_once
$ (( assoc[$key]++ ))
Linux
So you have got (( assoc[x],b[$(uname >&2)] )), and the shell does exactly
what you think it does with that.
This is a valid arithmetic expression. The `assoc' is marked as having its
subscript expanded once, since it has. The `b' is not, because it has not.
So when the arithmetic evaluator gets `b[$(uname >&2)]', it expands the
subscript.
The shell could internally quote the subscript, but it doesn't do that
right now.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU c...@case.edu http://tiswww.cwru.edu/~chet/
