Re: Is this exploitable?
On Mon, May 11, 2009 at 10:35:18AM +1000, Jon Seymour wrote: I am trying to parse untrusted strings and represent in a form that would be safe to execute. printf %q cmd=echo for a in $@ do cmd=$cmd '${a/\'/''}' done echo $cmd eval $cmd http://mywiki.wooledge.org/BashFAQ/050 - I'm trying to put a command in a variable, but the complex cases always fail! Your escaping is wrong in any event. You don't escape an apostrophe by putting another apostrophe in front of it. I.e., this is NOT valid bash syntax: echo 'can''t' This is: echo 'can'\''t' Also, your parameter expansion is only handling the FIRST apostrophe in each argument. That's surely not enough. As I said earlier: printf %q Is my code safe, or can someone maliciously choose arguments to as-echo.sh that could cause it (as-echo.sh) to do something other than write to stdout? imadev:~$ ./as-echo.sh ls can't';date' 'ls' 'can''t';date'' cant not found Mon May 11 08:19:33 EDT 2009
Re: Is this exploitable?
Yes, I realised that I should have at least used // after I posted, not that that would have been sufficient. Thanks for the solution. jon. On Mon, May 11, 2009 at 10:20 PM, Greg Wooledge wool...@eeg.ccf.org wrote: On Mon, May 11, 2009 at 10:35:18AM +1000, Jon Seymour wrote: I am trying to parse untrusted strings and represent in a form that would be safe to execute. printf %q cmd=echo for a in $@ do cmd=$cmd '${a/\'/''}' done echo $cmd eval $cmd http://mywiki.wooledge.org/BashFAQ/050 - I'm trying to put a command in a variable, but the complex cases always fail! Your escaping is wrong in any event. You don't escape an apostrophe by putting another apostrophe in front of it. I.e., this is NOT valid bash syntax: echo 'can''t' This is: echo 'can'\''t' Also, your parameter expansion is only handling the FIRST apostrophe in each argument. That's surely not enough. As I said earlier: printf %q Is my code safe, or can someone maliciously choose arguments to as-echo.sh that could cause it (as-echo.sh) to do something other than write to stdout? imadev:~$ ./as-echo.sh ls can't';date' 'ls' 'can''t';date'' cant not found Mon May 11 08:19:33 EDT 2009
Re: trailing slash in HOME variable
Dr. Christoph Gille wrote: Command prompt: Abbreviation of home path by tilde is not working when $HOME has a trailing slash A tilde-prefix can never include a trailing slash, so it won't match a value of HOME that has one. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer Chet Ramey, ITS, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/