[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why is *splitting every word* is a shell security hole?
|
From: |
Emanuele Torre |
|
Subject: |
Re: Why is *splitting every word* is a shell security hole? |
|
Date: |
Mon, 19 Aug 2024 16:50:08 +0200 |
|
User-agent: |
Mutt/2.2.13 (2024-03-09) |
On Mon, Aug 19, 2024 at 11:41:38AM +0000, shynur . wrote:
> Hi, friends,
>
> I'm reading the paper by Chet Ramey.
> Here: <https://tiswww.case.edu/php/chet/bash/rose94.pdf>.
>
> In section 4.2.5:
> > Bash and ksh split only the results of expansion,
> > rather than every word as sh does, closing a
> > long-standing shell security hole.
>
> Why is *splitting every word* is a shell security hole?
> Can someone give me an example? Thanks!
That is probably refering to the fact that bourne shells splitts all
unquoted words including literal words, unlike bash, ksh, and later
POSIX sh:
b# IFS=b; set -x; echo foobar
+ echo foo ar
foo ar
b# IFS=b; set -x; echo 'foobar'
+ echo foobar
foobar
I don't know what security hole it is talking about specifically, but
you could imagine something like rmdir foo running rm ir foo if
IFS is set to 'd'.
b# IFS=d; set -x; rmdir foo
+ rm ir foo
...
o/
emanuele6