[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Is this exploitable?
|
From: |
Jon Seymour |
|
Subject: |
Re: Is this exploitable? |
|
Date: |
Mon, 11 May 2009 23:23:23 +1000 |
Yes, I realised that I should have at least used // after I posted,
not that that would have been sufficient. Thanks for the solution.
jon.
On Mon, May 11, 2009 at 10:20 PM, Greg Wooledge <wooledg@eeg.ccf.org> wrote:
> On Mon, May 11, 2009 at 10:35:18AM +1000, Jon Seymour wrote:
>> I am trying to parse untrusted strings and represent in a form that
>> would be safe to execute.
>
> printf "%q"
>
>> cmd="echo"
>> for a in "$@"
>> do
>> cmd="$cmd '${a/\'/''}'"
>> done
>> echo "$cmd"
>> eval "$cmd"
>
> http://mywiki.wooledge.org/BashFAQ/050 - I'm trying to put a command in
> a variable, but the complex cases always fail!
>
> Your escaping is wrong in any event. You don't escape an apostrophe
> by putting another apostrophe in front of it. I.e., this is NOT valid
> bash syntax:
>
> echo 'can''t'
>
> This is:
>
> echo 'can'\''t'
>
> Also, your parameter expansion is only handling the FIRST apostrophe
> in each argument. That's surely not enough.
>
> As I said earlier: printf "%q"
>
>> Is my code safe, or can someone maliciously choose arguments to
>> as-echo.sh that could cause it (as-echo.sh) to do something other than
>> write to stdout?
>
> imadev:~$ ./as-echo.sh ls "can't';date'"
> 'ls' 'can''t';date''
> cant not found
> Mon May 11 08:19:33 EDT 2009
>