Re: shell variable security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> 
> test "hello /etc/* bye"
> 
> Is one instance where the expansion is performed (with ls & echo).
> 
> That will cause problems with things like rm, etc.
> -------------------------------
> 
> Ok... I modified by test case to use `rm` instead of echo:
> 
> while read line; do
>   rm $line
> done
> 
> And the ';' still gets automatically quoted.  So when I entered 'a; date', it tried to delete the file 'a;' and the file 'date', neither existed.

Yes. After parameter/variable substitution, the only other operations
done by the shell are:
- word splitting (separate by $IFS or blanks)
- pathname expansion (*,?,[],...)

So some security problems can still happen if one doesn't take care to
quote all external data:
rm "$line"

Command execution can't be done, but the user can still remove some file
or directory that he shouldn't, or confuse some sub-program by passing
unexpected parameters.

> 
> Getting back the OP concern, this becomes much more critical when constructing database queries with user supplied data.
> 

Very true, and there's also the problem with cross-site-scripting,
format string vulnerabilities, etc..

-- 
lfr
0/0

Attachment: pgpLhKilHjybn.pgp
Description: PGP signature


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux