Re: bash brace issues (similar to shellshock)

2018-08-06 Thread Chet Ramey 
> Find attached details regarding bash brace issues. King regards.

What exactly is it that you think you've found?

You have assignment statements preceding a command that is one component
of a compound command.

You might have a case that in the first three statements bash should
throw an error at the assignment statement instead of treating it as
if the operators were quoted (the result of parsing it like a possible
compound assignment), but this certainly isn't anything close to a
security problem.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/

Re: bash brace issues (similar to shellshock)

2018-08-06 Thread Chet Ramey 
On 8/6/18 12:13 PM, Pierre Gaston wrote:
> On Mon, Aug 6, 2018 at 4:32 PM, martins dada 
> wrote:
> 
>> Find attached details regarding bash brace issues. King regards.
>>
> 
> you are simply assigning (){ to a temporary environment before running the
> command
> 
> $  n=(){ bash -c 'echo $n'
> (){
> 
> just like:
> 
> a=foo bash -c 'echo $a'
> 
> I'd agree that I would not expect bash to accept this without quotes,
> but it does not allow to execute arbitrary commands like shellshock did.
> At least your examples don't show this.

Since bash parses the assignment as a possible compound array assignment,
it accepts the parens and doesn't throw an error. Once it discovers that
the statement doesn't qualify as a compound assignment, it has a choice:
it can go back and throw an error, or accept the assignment as if it were
quoted. It does the latter.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/

Re: bash brace issues (similar to shellshock)

2018-08-06 Thread Pierre Gaston 
On Mon, Aug 6, 2018 at 4:32 PM, martins dada 
wrote:

> Find attached details regarding bash brace issues. King regards.
>

you are simply assigning (){ to a temporary environment before running the
command

$  n=(){ bash -c 'echo $n'
(){

just like:

a=foo bash -c 'echo $a'

I'd agree that I would not expect bash to accept this without quotes,
but it does not allow to execute arbitrary commands like shellshock did.
At least your examples don't show this.

Your third example is best understood if you move the redirection at the
end:

n=(){ a= date >\ echo

redirection can appear anywhere around the command
As your wrote it, it looks funny but it's not different from  "date > file"

bash brace issues (similar to shellshock)

2018-08-06 Thread martins dada 
Find attached details regarding bash brace issues. King regards.


bash
Description: Binary data