shell variable security

[Miner, Jonathan W (CSC) (US SSA)]

-----Original Message-----
From:	fedora-list-bounces at redhat.com on behalf of Luciano Rocha
Sent:	Wed 10/03/2007 02:18 PM
To:	fedora-list at redhat.com
Cc:	
Subject:	Re: shell variable security

On Wed, Oct 03, 2007 at 06:01:59PM +0000, tony.chamberlain at lemko.com wrote:
> 
> 
> I guess I was asking in general how you can be sure your variables are safe.
> Maybe it is more complicated than that? I really have just heard warnings from
> everyone, so I was taking pre-emptive measures.
> 
> I tried a few things myself too and also could not get that problem.
> 
> I tried making a file called test and doing things like
> 
>  K="$1"
>  echo $K
> 
> 
> and then calling
> 
>  test "hello\";date"
> 
> a nd
>  FIL="$1"
>  ls $FIL
> 
> but that seemed to be OK 
> 

test "hello /etc/* bye"

Is one instance where the expansion is performed (with ls & echo).

That will cause problems with things like rm, etc.
-------------------------------

Ok... I modified by test case to use `rm` instead of echo:

while read line; do
  rm $line
done

And the ';' still gets automatically quoted.  So when I entered 'a; date', it tried to delete the file 'a;' and the file 'date', neither existed.

% bash -x x.sh
+ read line
a; date
+ rm 'a;' date
rm: cannot remove `a;': No such file or directory
rm: cannot remove `date': No such file or directory
+ read line

Getting back the OP concern, this becomes much more critical when constructing database queries with user supplied data.

Intent:

select * from users where name = "$input";

Exploit: (user provided data in {})

select * from users where name = "{JON"; DELETE FROM USERS WHERE "X" = "X}";
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 3472 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20071003/193b34a6/attachment-0001.bin