Re: Is this exploitable?

2009-05-11 Thread Greg Wooledge 
On Mon, May 11, 2009 at 10:35:18AM +1000, Jon Seymour wrote:
 I am trying to parse untrusted strings and represent in a form that
 would be safe to execute.

printf %q

 cmd=echo
 for a in $@
 do
 cmd=$cmd '${a/\'/''}'
 done
 echo $cmd
 eval $cmd

http://mywiki.wooledge.org/BashFAQ/050 - I'm trying to put a command in
a variable, but the complex cases always fail!

Your escaping is wrong in any event.  You don't escape an apostrophe
by putting another apostrophe in front of it.  I.e., this is NOT valid
bash syntax:

  echo 'can''t'

This is:

  echo 'can'\''t'

Also, your parameter expansion is only handling the FIRST apostrophe
in each argument.  That's surely not enough.

As I said earlier: printf %q

 Is my code safe, or can someone maliciously choose arguments to
 as-echo.sh that could cause it (as-echo.sh) to do something other than
 write to stdout?

imadev:~$ ./as-echo.sh ls can't';date'
 'ls' 'can''t';date''
cant not found
Mon May 11 08:19:33 EDT 2009

Re: Is this exploitable?

2009-05-11 Thread Jon Seymour 
Yes, I realised that I should have at least used // after I posted,
not that that would have been sufficient. Thanks for the solution.

jon.

On Mon, May 11, 2009 at 10:20 PM, Greg Wooledge wool...@eeg.ccf.org wrote:
 On Mon, May 11, 2009 at 10:35:18AM +1000, Jon Seymour wrote:
 I am trying to parse untrusted strings and represent in a form that
 would be safe to execute.

 printf %q

 cmd=echo
 for a in $@
 do
     cmd=$cmd '${a/\'/''}'
 done
 echo $cmd
 eval $cmd

 http://mywiki.wooledge.org/BashFAQ/050 - I'm trying to put a command in
 a variable, but the complex cases always fail!

 Your escaping is wrong in any event.  You don't escape an apostrophe
 by putting another apostrophe in front of it.  I.e., this is NOT valid
 bash syntax:

  echo 'can''t'

 This is:

  echo 'can'\''t'

 Also, your parameter expansion is only handling the FIRST apostrophe
 in each argument.  That's surely not enough.

 As I said earlier: printf %q

 Is my code safe, or can someone maliciously choose arguments to
 as-echo.sh that could cause it (as-echo.sh) to do something other than
 write to stdout?

 imadev:~$ ./as-echo.sh ls can't';date'
  'ls' 'can''t';date''
 cant not found
 Mon May 11 08:19:33 EDT 2009

Re: trailing slash in HOME variable

2009-05-11 Thread Chet Ramey 
Dr. Christoph Gille wrote:
 Command prompt:
 Abbreviation of home path by tilde is not working when $HOME has a trailing 
 slash

A tilde-prefix can never include a trailing slash, so it won't match a
value of HOME that has one.
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer

Chet Ramey, ITS, CWRUc...@case.eduhttp://cnswww.cns.cwru.edu/~chet/