Re: [Help-bash] bash suitable for parsing big files?

[adrelanos]

Chris Down:
> On 2013-09-14 04:21, adrelanos wrote:
>> This was another fine idea. I am now using:
>>
>>    while read -r package status arch version_with; do
>> ...
>>    done < <(dpkg-query --admindir="$dpkg_status_folder"
>> --showformat="\${Package}\t\${db:Status-Abbrev}\t\${Architecture}\t\${Version}\n"
>> --show \*)
>>
>> Is this safe from a security perspective (this is untrusted input) of
>> could a malformed dpkg status file containing things like "`$(echo a)`"
>> lead to code execution in bash?
> 
> That entirely depends on where you are getting these variables from.

There is only one variable. dpkg_status_folder and it's set by the
verification script itself, so it is trusted.

The dpkg-query binary is trusted, because it's the one from the machine
doing the verification.

The /var/lib/dpkg/status file, which dpkg-query will parse is untrusted,
because it's read from the image.

So if we look again at

   done < <(dpkg-query --admindir="$dpkg_status_folder"
--showformat="\${Package}\t\${db:Status-Abbrev}\t\${Architecture}\t\${Version}\n"
--show \*)

I could rephrase my question as: Is it possible, that anything within
"done < <(...)" gets executed? For example, "dpkg-query
--showformat="\${Package}\t\${db:Status-Abbrev}\t\${Architecture}\t\${Version}\n"
--show \*" could return a bogus line containing "zenity-common   ii
 all     $(echo a)".