Forwarded conversation
Subject: Arithmetic + array allows for code injection
------------------------
From: Pierre Gaston <pierre.gas...@gmail.com>
Date: Fri, May 30, 2014 at 7:57 PM
To: "bug-b...@gnu.org" <bug-b...@gnu.org>
It doesn't seem right for code looking as innocent as $((a[$i])) or
$((a["$i"])) to allow running arbitrary commands for some value of i, that
are no even that clever:
$ i='$( echo >&2 an arbitrary command )';: $((a["$i"]))
an arbitrary command
$ i='"$( echo >&2 an arbitrary command)"';: $((a[$i]))
an arbitrary command
----------
From: Greg Wooledge <wool...@eeg.ccf.org>
Date: Fri, May 30, 2014 at 8:08 PM
To: Pierre Gaston <pierre.gas...@gmail.com>
Cc: "bug-b...@gnu.org" <bug-b...@gnu.org>
A workaround is to avoid the explicit $i inside the square brackets:
imadev:~$ i='$(date)'; : $((a[$i]))
bash: Fri May 30 14:05:34 EDT 2014: syntax error in expression (error
token is "May 30 14:05:34 EDT 2014")
imadev:~$ i='$(date)'; : $((a[i]))
bash: $(date): syntax error: operand expected (error token is "$(date)")
I don't dispute the need to fix it, though.
----------
From: Pierre Gaston <pierre.gas...@gmail.com>
Date: Fri, May 30, 2014 at 8:12 PM
To: Greg Wooledge <wool...@eeg.ccf.org>
Cc: "bug-b...@gnu.org" <bug-b...@gnu.org>
Right, in fact when this bug was found when playing with associative arrays
where this workaround is not possible, with declare -A a you can use
$((${a["$i"]}))
----------
From: Dan Douglas <orm...@gmail.com>
Date: Sat, May 31, 2014 at 4:28 AM
To: bug-b...@gnu.org
Cc: Pierre Gaston <pierre.gas...@gmail.com>
The problem is most people don't realize how "variables" are evaluated.
Any time the shell needs to reference a variable, it takes a string
like: "arr[$foo]" and, if there's an index, the string within the index
gets processed for expansions. The arithmetic evaluator is no exception.
The correct way to write such a thing is to let the variable evaluation
expand the parameter from the arithmetic evaluator:
$ bash -c 'typeset -A a; i=\" a[$i]=1+1; echo "$((a[\$i]))"'
2
$ ksh -c 'typeset -A a; i=\" a[$i]=1+1; echo "$((a[\$i]))"'
2
$ zsh -c 'typeset -A a; i=\" a[$i]=1+1; echo "$((a[\$i]))"'
2
Just to clarify, this came up during a discussion in freenode/#ksh (I
believe Jilles Tjoelker first pointed out the issue).
He noticed that ksh93 in some cases allows associative array indexes to
be interpreted differently by the arithmetic evaluator. Namely, if `i=]`
or `i=\"` then ksh uses that value as the index. Bash simply performs
all the usual expansions then takes the resulting string and passes it
to the arithmetic evaluator.
But notice that even ksh processes indexes for expansions. I don't know
why it allows those specific exceptions, and I think I even found a bug
in ksh here.
# Bash is correct here AFAICT.
$ bash -c 'typeset -A a; i="\$(echo \\\")" a[\"]=1+1; echo "$((a[$i]))"'
2
# ksh93 fails this test:
$ ksh -c 'typeset -A a; i="\$(echo \\\")" a[\"]=1+1; echo "$((a[$i]))"'
ksh: syntax error at line 1: `end of file' unexpected
--
Dan Douglas
--
Irek
_______________________________________________
ast-developers mailing list
ast-developers@lists.research.att.com
http://lists.research.att.com/mailman/listinfo/ast-developers
