Re: Code Execution in Mathematical Context

[Ilkka Virta]

On 4.6. 16:24, Greg Wooledge wrote:
> On Tue, Jun 04, 2019 at 01:42:40PM +0200, Nils Emmerich wrote:
> > Bash Version: 5.0
> > Patch Level: 0
> > Release Status: release
> >
> > Description:
> >          It is possible to get code execution via a user supplied variable in
> > the mathematical context.

> For example:  (( 'a[i]++' ))   or   let 'a[i]++'

> Without quotes in the former, something bad happens, but I can't remember
> the details off the top of my head.

If the bad user supplied variable contains array indexing in itself, 
e.g. bad='none[$(date >&2)]' then using it in an arithmetic expansion 
still executes the 'date', single quotes or not (the array doesn't need 
to exist):

  $ a=(123 456 789) bad='none[$(date >&2)]'
  $ unset none
  $ (( a[bad]++ ))
  Tue Jun  4 22:00:38 EEST 2019
  $ (( 'a[bad]++' ))
  Tue Jun  4 22:00:42 EEST 2019

Same here, of course:

  $ (( bad ))
  Tue Jun  4 22:04:29 EEST 2019
  $ (( 'bad' ))
  Tue Jun  4 22:04:32 EEST 2019

So, it doesn't seem the single-quotes help. They do seem to break the 
whole expression within "$(( ))", though:

  $ echo "$(( 'a[2]' ))"
  bash: 'a[2]' : syntax error: operand expected (error token is "'a[2]' ")
  $ i=2
  $ echo "$(( 'a[i]' ))"
  bash: 'a[i]' : syntax error: operand expected (error token is "'a[i]' ")
  $ echo "$(( 'a[$i]' ))"
  bash: 'a[2]' : syntax error: operand expected (error token is "'a[2]' ")


Maybe it would be better to try to sanity-check any user-provided values 
first:

  $ case $var in *[^0123456789]*) echo "Invalid input" >&2; exit 1;; esac
  $ (( a[var]++ ))      # safe now?


--
Ilkka Virta / itvirta@iki.fi