On Mon, 13 Mar 2017 at 21:58:17 +0100, Carsten Schoenert wrote: > I had modified the warpper script in the between time a little bit > different. I've done some more effort to catch some special arguments > and get them savely prepared to the binary call. > There are for sure more than one way to get the argument passing done.
+ if [[ "${ARG}" =~ ([[:space:]]|[(,|=)]) ]]; then
+ TB_ARGS="${TB_ARGS} \"${ARG}\""
+ else
+ # No special handling needed.
+ TB_ARGS="${TB_ARGS} ${ARG}"
...
+ eval "${MOZ_LIBDIR}"/"${MOZ_APP_NAME}" "${TB_ARGS}"
No, that is not general and could be a security vulnerability. Consider
what would happen with an argument containing $ or ` or backslashes.
The attached script is a simplified version of that change. The goal is that
the input parses the same as the output.
$ ./t.sh hello
in: argv[1]=«hello»
out: argv[1]=«hello»
$ ./t.sh foo bar
in: argv[1]=«foo»
in: argv[1]=«bar»
out: argv[1]=«foo»
out: argv[1]=«bar»
So far so good, but quote marks and backslashes get lost:
$ ./t.sh "'foo bar'"
in: argv[1]=«'foo bar'»
out: argv[1]=«foo bar»
$ ./t.sh '\a'
in: argv[1]=«\a»
out: argv[1]=«a»
it's easy to get a syntax error:
$ ./t.sh "\""
in: argv[1]=«"»
./t.sh: eval: line 32: unexpected EOF while looking for matching `"'
./t.sh: eval: line 33: syntax error: unexpected end of file
and a maliciously supplied filename or argument (think invoking
thunderbird as a file or URL handler) can cause code execution
(imagine expr was a malicious command here):
$ ./t.sh '$(expr 2 + 2)'
in: argv[1]=«$(expr 2 + 2)»
out: argv[1]=«4»
$ ./t.sh '`expr 2 + 2`'
in: argv[1]=«`expr 2 + 2`»
out: argv[1]=«4»
Please use bash arrays as Daniel suggested: that is almost certainly
the simplest way to make this correct.
S
t.sh
Description: Bourne shell script
