[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Can "gawk -i extension" be made safer?
|
From: |
arnold |
|
Subject: |
Re: Can "gawk -i extension" be made safer? |
|
Date: |
Sat, 24 Jun 2023 13:23:16 -0600 |
|
User-agent: |
Heirloom mailx 12.5 7/5/10 |
Hi.
Thank you for your note.
Gawk's behavior has been what it is for over a decade and cannot
be changed now.
The issue boils down to having a value of AWKPATH that you consider
to be safe in the environment. As gawk's behavior is thoroughly documented
in the manual, and as gawk, like most Unix tools, assumes that users know
what they are doing, it's up to the user to set an AWKPATH in their
.profile or .bashrc that they are comfortable with.
Thanks,
Arnold
Stephane Chazelas <stephane@chazelas.org> wrote:
> Hello,
>
> as noted at
> https://unix.stackexchange.com/questions/749645/how-to-safely-use-gawks-i-option
>
> Doing things like:
>
> gawk -i inplace '...' somefiles
>
> Or:
>
> gawk -i shellquote 'system("cmd -- " shellquote(...))'
>
> Are security vulnerabilities if run from within directories
> where we can't guarantee someone could not plant malicious files
> called "inplace" or "inplace.awk" (or "shellquote",
> "shellquote.awk").
>
> That's because those extensions are looked-up in $AWKPATH which
> by default has "." as the first directory to look for those
> extensions in.
>
> /tmp$ echo 'BEGIN{system("echo rm -rf ~"); exit}' > shellquote
> /tmp$ gawk -i shellquote 'BEGIN{system("id -- "
> shellquote(ENVIRON["LOGNAME"]))}'
> rm -rf /home/chazelas
>
> Oops. (don't remove that echo!)
>
> IMO, gawk -f file (or -E) should only look for "file" in the
> current working directory (and not even fall back to searching
> for "file.awk") as POSIX requires and gawk -i extension should
> only look for extension (or extension.awk) in a $AWKPATH which
> by default should not include any relative path.
>
> But I acknowledge it may be too late to change that as some
> users might already use gawk -f cmd and expect cmd (or cmd.awk)
> to be looked up in $AWKPATH and some may use gawk -i lib and
> expect the lib.awk in the current working directory to be
> included.
>
> But maybe a new -I as a safer version of -i could be introduced
> that only looks up the extensions in the absolute directories of
> $AWKPATH?
>
> It should also be relatively safe to disable that $AWKPATH
> lookup (and .awk suffix addition) for -f in -Wposix or
> -Wtraditional mode.
>
> Same for -E which is intended for #! /usr/bin/gawk -E shebangs
> where looking up the file in $AWKPATH or adding that .awk
> wouldn't make sense,
>
> --
> Stephane
- Can "gawk -i extension" be made safer?, Stephane Chazelas, 2023/06/24
- Re: Can "gawk -i extension" be made safer?,
arnold <=
- Re: Can "gawk -i extension" be made safer?, Stephane CHAZELAS, 2023/06/25
- Re: Can "gawk -i extension" be made safer?, Andrew J. Schorr, 2023/06/26
- Re: Can "gawk -i extension" be made safer?, Stephane CHAZELAS, 2023/06/26
- Re: Can "gawk -i extension" be made safer?, Andrew J. Schorr, 2023/06/26
- Re: Can "gawk -i extension" be made safer?, Stephane CHAZELAS, 2023/06/27
- Re: Can "gawk -i extension" be made safer?, arnold, 2023/06/27