Le 29/10/2021 à 00:29, Greg Wooledge écrivait :
On Thu, Oct 28, 2021 at 08:33:22PM +0000, elettrino via Bug reports for the GNU
Bourne Again SHell wrote:
user@machine:~$ USER_INPUT='x[$(id>&2)]'
user@machine:~$ test -v "$USER_INPUT"
uid=1519(user) gid=1519(user) groups=1519(user),100(users)
user@machine:~$
Whoo. This uses a feature that was introduced in bash 4.2. It doesn't
cause code injection in bash 4.2, though. It *does* cause code injection
in bash 4.3 through 5.1.
Adding it to my wiki page.
A safe way to replace:
test -v "$USER_INPUT"
Would be:
test "${USER_INPUT@Q}"
But it is not backward-compatible with older bash versions.
Alternatively:
declare -p USER_INPUT >/dev/null 2>&1
will work with much older bash versions
Any other way witch are less bulky and or more backward compatible?
--
Léa Gris
