shell variable security
Luciano Rocha
strange at nsk.no-ip.org
Wed Oct 3 19:18:01 UTC 2007
>
> test "hello /etc/* bye"
>
> Is one instance where the expansion is performed (with ls & echo).
>
> That will cause problems with things like rm, etc.
> -------------------------------
>
> Ok... I modified by test case to use `rm` instead of echo:
>
> while read line; do
> rm $line
> done
>
> And the ';' still gets automatically quoted. So when I entered 'a; date', it tried to delete the file 'a;' and the file 'date', neither existed.
Yes. After parameter/variable substitution, the only other operations
done by the shell are:
- word splitting (separate by $IFS or blanks)
- pathname expansion (*,?,[],...)
So some security problems can still happen if one doesn't take care to
quote all external data:
rm "$line"
Command execution can't be done, but the user can still remove some file
or directory that he shouldn't, or confuse some sub-program by passing
unexpected parameters.
>
> Getting back the OP concern, this becomes much more critical when constructing database queries with user supplied data.
>
Very true, and there's also the problem with cross-site-scripting,
format string vulnerabilities, etc..
--
lfr
0/0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20071003/634424cf/attachment-0001.bin
More information about the users
mailing list