Re: unexpected exit code for integer operation
On 10/27/21 10:09 PM, Kerin Millar wrote: This is to be expected. It works the same way as in other languages, such as C. You should use the operator that reflects your intent. Understood - thx for the explanation. -- Toralf
Arbitrary command execution from test on a quoted string
The following shows an example of bash testing a quoted string and as a result executing a command embedded in the string. Here I used the command "id" to stand as an example of a command. The output of id on this machine was as follows: user@machine:~$ id uid=1519(user) gid=1519(user) groups=1519(user),100(users) user@machine:~$ So to demonstrate: user@machine:~$ USER_INPUT='x[$(id>&2)]' user@machine:~$ test -v "$USER_INPUT" uid=1519(user) gid=1519(user) groups=1519(user),100(users) user@machine:~$ This means that if variable USER_INPUT was indeed input from a user, the user could execute an arbitrary command. Also unexpected (and presumably related), bash is expanding the construct inside single quote marks: user@machine:~$ test -v 'x[$(id>&2)]' uid=1519(user) gid=1519(user) groups=1519(user),100(users) user@machine:~$ user@machine:~$ echo $BASH_VERSION 4.4.20(1)-release user@machine:~$ I don't know whether this happens with anything other than the -v option with test; I have not seen it happen under any other circumstance. Sent with [ProtonMail](https://protonmail.com) Secure Email.
Re: Arbitrary command execution from test on a quoted string
On Thu, 28 Oct 2021 20:33:22 + elettrino via Bug reports for the GNU Bourne Again SHell wrote: > The following shows an example of bash testing a quoted string and as a > result executing a command embedded in the string. > > Here I used the command "id" to stand as an example of a command. The output > of id on this machine was as follows: > > user@machine:~$ id > uid=1519(user) gid=1519(user) groups=1519(user),100(users) > user@machine:~$ > > So to demonstrate: > > user@machine:~$ USER_INPUT='x[$(id>&2)]' > user@machine:~$ test -v "$USER_INPUT" > uid=1519(user) gid=1519(user) groups=1519(user),100(users) > user@machine:~$ > > This means that if variable USER_INPUT was indeed input from a user, the user > could execute an arbitrary command. > > Also unexpected (and presumably related), bash is expanding the construct > inside single quote marks: > > user@machine:~$ test -v 'x[$(id>&2)]' > uid=1519(user) gid=1519(user) groups=1519(user),100(users) > user@machine:~$ > > user@machine:~$ echo $BASH_VERSION > 4.4.20(1)-release > user@machine:~$ > > I don't know whether this happens with anything other than the -v option with > test; I have not seen it happen under any other circumstance. > > Sent with [ProtonMail](https://protonmail.com) Secure Email. It is a regrettable consequence of the arithmetical context. See https://mywiki.wooledge.org/BashProgramming/05#Arithmetic_Expansion for some other examples. As things stand, your only option is to validate or sanitise abitrarily specified array indices before proceeding to use them in such a context. -- Kerin Millar
Re: Arbitrary command execution from test on a quoted string
On Thu, Oct 28, 2021 at 08:33:22PM +, elettrino via Bug reports for the GNU Bourne Again SHell wrote: > > user@machine:~$ USER_INPUT='x[$(id>&2)]' > user@machine:~$ test -v "$USER_INPUT" > uid=1519(user) gid=1519(user) groups=1519(user),100(users) > user@machine:~$ Whoo. This uses a feature that was introduced in bash 4.2. It doesn't cause code injection in bash 4.2, though. It *does* cause code injection in bash 4.3 through 5.1. Adding it to my wiki page.
Re: Arbitrary command execution from test on a quoted string
Le 29/10/2021 à 00:29, Greg Wooledge écrivait :
On Thu, Oct 28, 2021 at 08:33:22PM +, elettrino via Bug reports for the GNU
Bourne Again SHell wrote:
user@machine:~$ USER_INPUT='x[$(id>&2)]'
user@machine:~$ test -v "$USER_INPUT"
uid=1519(user) gid=1519(user) groups=1519(user),100(users)
user@machine:~$
Whoo. This uses a feature that was introduced in bash 4.2. It doesn't
cause code injection in bash 4.2, though. It *does* cause code injection
in bash 4.3 through 5.1.
Adding it to my wiki page.
A safe way to replace:
test -v "$USER_INPUT"
Would be:
test "${USER_INPUT@Q}"
But it is not backward-compatible with older bash versions.
Alternatively:
declare -p USER_INPUT >/dev/null 2>&1
will work with much older bash versions
Any other way witch are less bulky and or more backward compatible?
--
Léa Gris
