[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I've found a vulnerability in bash
From: |
Ilkka Virta |
Subject: |
Re: I've found a vulnerability in bash |
Date: |
Wed, 17 Nov 2021 15:47:15 +0200 |
On Wed, Nov 17, 2021 at 2:42 PM Marshall Whittaker <
marshallwhittaker@gmail.com> wrote:
> [marshall@jerkon]{04:09 AM}: [~/bashful] $ touch -- '--version'
> [marshall@jerkon]{04:09 AM}: [~/bashful] $ rm *
> rm (GNU coreutils) 8.30
> Copyright (C) 2018 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <
> https://gnu.org/licenses/gpl.html>;.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Written by Paul Rubin, David MacKenzie, Richard M. Stallman,
> and Jim Meyering.
> [marshall@jerkon]{04:09 AM}: [~/bashful] $
>
A common pitfall, due to how the utility can't tell what strings come from
globs and what
were given literally. See e.g.
https://unix.stackexchange.com/questions/1519/how-do-i-delete-a-file-whose-name-begins-with-hyphen-a-k-a-dash-or-minus
and https://dwheeler.com/essays/filenames-in-shell.html (though the latter
is rather long and depressing.)
I don't see this in BashFAQ, though. Is it because it's not strictly about
Bash? Greg?
Also, GNU rm has a helpful helptext about it:
$ rm --help
Usage: rm [OPTION]... [FILE]...
Remove (unlink) the FILE(s).
[...]
To remove a file whose name starts with a '-', for example '-foo',
use one of these commands:
rm -- -foo
rm ./-foo
Note that if you use rm to remove a file, it might be possible to recover
some of its contents, given sufficient expertise and/or time. For greater
assurance that the contents are truly unrecoverable, consider using shred.
- I've found a vulnerability in bash, Marshall Whittaker, 2021/11/17
- Re: I've found a vulnerability in bash, Greg Wooledge, 2021/11/17
- Re: I've found a vulnerability in bash, Alex fxmbsw7 Ratchev, 2021/11/17
- Re: I've found a vulnerability in bash,
Ilkka Virta <=
- Re: I've found a vulnerability in bash, Chet Ramey, 2021/11/17
- Re: I've found a vulnerability in bash, Marshall Whittaker, 2021/11/19
- Re: I've found a vulnerability in bash, Alex fxmbsw7 Ratchev, 2021/11/19
- Re: I've found a vulnerability in bash, Kerin Millar, 2021/11/19
- Message not available
- Re: I've found a vulnerability in bash, Kerin Millar, 2021/11/19
- Re: I've found a vulnerability in bash, Marshall Whittaker, 2021/11/19
- Re: I've found a vulnerability in bash, Kerin Millar, 2021/11/19
- Re: I've found a vulnerability in bash, Eric Blake, 2021/11/19
- Re: I've found a vulnerability in bash, Kerin Millar, 2021/11/19