2014-10-13 12:21:33 +0200, Thorsten Glaser: > On Mon, 13 Oct 2014, Dominik George wrote: > > > foo='x[$(rm -rf /)]' > > echo $(( foo )) > > > > Guess when the array index is evaluated? Now mind that it could be > > This is fully and completely a user error. (User being the script.) > > > user-provided. > > Never put “tainted” input into ksh arithmetics, period. > (And always initialise your variables.) > > It could be documented better. Stéphane Chazelas said > he may write it up in detail, which I have already promised > will then be linked from the mksh manpage. [...]
It's an error from a user not expecting arithmetic expressions to be evaluated in such a silly way. Yet another design mistake of Korn's. No documentation will ever prevent users from doing echo $(( ENV_VAR + 2 )) That being a vector for arbitrary command execution is in breach of the law of least astonishment. I'd bet the first reaction of anyone finding it out would be that the language is severely broken. I and many others (and many others) have spent the last 20 years telling people to quote their variable, that echo $QUERYSTRING or even : ${QUERYSTRING:=foo} is a DoS vector or worse (QUERYSTRING=/*/*/*/../../../*/*/*/*/...) , experimenting with teaching tools like the split+glob operator (`echo $var` is applying the split+glob operator to the content of $var) to no avail. People still do: echo $var because it's the most intuitive thing to write. It's saying what there should be in the tin. Many people don't understand or don't believe you when you tell them you should actually use: printf '%s\n' "$var" So I do really wish that Debian's sh doesn't import any other misfeature of the Korn shell. If you need arrays, use "$@" or use "perl/python/ruby...", but please don't break yet another shell with the Korn arrays or arithmetics. -- Stephane -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141013210234.gc6...@chaz.gmail.com