Re: bash exorcism experiment ('bug' 762923 & 763012)
2014-10-13 12:21:33 +0200, Thorsten Glaser:
> On Mon, 13 Oct 2014, Dominik George wrote:
>
> > foo='x[$(rm -rf /)]'
> > echo $(( foo ))
> >
> > Guess when the array index is evaluated? Now mind that it could be
>
> This is fully and completely a user error. (User being the script.)
>
> > user-provided.
>
> Never put “tainted” input into ksh arithmetics, period.
> (And always initialise your variables.)
>
> It could be documented better. Stéphane Chazelas said
> he may write it up in detail, which I have already promised
> will then be linked from the mksh manpage.
[...]
It's an error from a user not expecting arithmetic expressions
to be evaluated in such a silly way. Yet another design mistake
of Korn's.
No documentation will ever prevent users from doing
echo $(( ENV_VAR + 2 ))
That being a vector for arbitrary command execution is in breach
of the law of least astonishment.
I'd bet the first reaction of anyone finding it out would be
that the language is severely broken.
I and many others (and many others) have spent the last 20 years
telling people to quote their variable, that
echo $QUERYSTRING
or even
: ${QUERYSTRING:=foo}
is a DoS vector or worse
(QUERYSTRING=/*/*/*/../../../*/*/*/*/...)
, experimenting with teaching tools like the split+glob operator
(`echo $var` is applying the split+glob operator to the content
of $var)
to no avail. People still do:
echo $var
because it's the most intuitive thing to write. It's saying what
there should be in the tin. Many people don't understand or
don't believe you when you tell them you should actually use:
printf '%s\n' "$var"
So I do really wish that Debian's sh doesn't import any other
misfeature of the Korn shell.
If you need arrays, use "$@" or use "perl/python/ruby...", but
please don't break yet another shell with the Korn arrays or
arithmetics.
--
Stephane
Reply to: