shell variable security
Miner, Jonathan W (CSC) (US SSA)
jonathan.w.miner at baesystems.com
Wed Oct 3 18:31:12 UTC 2007
-----Original Message-----
From: fedora-list-bounces at redhat.com on behalf of Luciano Rocha
Sent: Wed 10/03/2007 02:18 PM
To: fedora-list at redhat.com
Cc:
Subject: Re: shell variable security
On Wed, Oct 03, 2007 at 06:01:59PM +0000, tony.chamberlain at lemko.com wrote:
>
>
> I guess I was asking in general how you can be sure your variables are safe.
> Maybe it is more complicated than that? I really have just heard warnings from
> everyone, so I was taking pre-emptive measures.
>
> I tried a few things myself too and also could not get that problem.
>
> I tried making a file called test and doing things like
>
> K="$1"
> echo $K
>
>
> and then calling
>
> test "hello\";date"
>
> a nd
> FIL="$1"
> ls $FIL
>
> but that seemed to be OK
>
test "hello /etc/* bye"
Is one instance where the expansion is performed (with ls & echo).
That will cause problems with things like rm, etc.
-------------------------------
Ok... I modified by test case to use `rm` instead of echo:
while read line; do
rm $line
done
And the ';' still gets automatically quoted. So when I entered 'a; date', it tried to delete the file 'a;' and the file 'date', neither existed.
% bash -x x.sh
+ read line
a; date
+ rm 'a;' date
rm: cannot remove `a;': No such file or directory
rm: cannot remove `date': No such file or directory
+ read line
Getting back the OP concern, this becomes much more critical when constructing database queries with user supplied data.
Intent:
select * from users where name = "$input";
Exploit: (user provided data in {})
select * from users where name = "{JON"; DELETE FROM USERS WHERE "X" = "X}";
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 3472 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20071003/193b34a6/attachment-0001.bin
More information about the users
mailing list