-----Original Message-----
From: fedora-list-bounces@xxxxxxxxxx on behalf of Luciano Rocha
Sent: Wed 10/03/2007 02:18 PM
To: fedora-list@xxxxxxxxxx
Cc:
Subject: Re: shell variable security
On Wed, Oct 03, 2007 at 06:01:59PM +0000, tony.chamberlain@xxxxxxxxx wrote:
>
>
> I guess I was asking in general how you can be sure your variables are safe.
> Maybe it is more complicated than that? I really have just heard warnings from
> everyone, so I was taking pre-emptive measures.
>
> I tried a few things myself too and also could not get that problem.
>
> I tried making a file called test and doing things like
>
> K="$1"
> echo $K
>
>
> and then calling
>
> test "hello\";date"
>
> a nd
> FIL="$1"
> ls $FIL
>
> but that seemed to be OK
>
test "hello /etc/* bye"
Is one instance where the expansion is performed (with ls & echo).
That will cause problems with things like rm, etc.
-------------------------------
Ok... I modified by test case to use `rm` instead of echo:
while read line; do
rm $line
done
And the ';' still gets automatically quoted. So when I entered 'a; date', it tried to delete the file 'a;' and the file 'date', neither existed.
% bash -x x.sh
+ read line
a; date
+ rm 'a;' date
rm: cannot remove `a;': No such file or directory
rm: cannot remove `date': No such file or directory
+ read line
Getting back the OP concern, this becomes much more critical when constructing database queries with user supplied data.
Intent:
select * from users where name = "$input";
Exploit: (user provided data in {})
select * from users where name = "{JON"; DELETE FROM USERS WHERE "X" = "X}";
<<winmail.dat>>
