Re: Is this exploitable?

2009-05-11 Thread Greg Wooledge 
On Mon, May 11, 2009 at 10:35:18AM +1000, Jon Seymour wrote:
 I am trying to parse untrusted strings and represent in a form that
 would be safe to execute.

printf %q

 cmd=echo
 for a in $@
 do
 cmd=$cmd '${a/\'/''}'
 done
 echo $cmd
 eval $cmd

http://mywiki.wooledge.org/BashFAQ/050 - I'm trying to put a command in
a variable, but the complex cases always fail!

Your escaping is wrong in any event.  You don't escape an apostrophe
by putting another apostrophe in front of it.  I.e., this is NOT valid
bash syntax:

  echo 'can''t'

This is:

  echo 'can'\''t'

Also, your parameter expansion is only handling the FIRST apostrophe
in each argument.  That's surely not enough.

As I said earlier: printf %q

 Is my code safe, or can someone maliciously choose arguments to
 as-echo.sh that could cause it (as-echo.sh) to do something other than
 write to stdout?

imadev:~$ ./as-echo.sh ls can't';date'
 'ls' 'can''t';date''
cant not found
Mon May 11 08:19:33 EDT 2009

Re: Is this exploitable?

2009-05-11 Thread Jon Seymour 
Yes, I realised that I should have at least used // after I posted,
not that that would have been sufficient. Thanks for the solution.

jon.

On Mon, May 11, 2009 at 10:20 PM, Greg Wooledge wool...@eeg.ccf.org wrote:
 On Mon, May 11, 2009 at 10:35:18AM +1000, Jon Seymour wrote:
 I am trying to parse untrusted strings and represent in a form that
 would be safe to execute.

 printf %q

 cmd=echo
 for a in $@
 do
     cmd=$cmd '${a/\'/''}'
 done
 echo $cmd
 eval $cmd

 http://mywiki.wooledge.org/BashFAQ/050 - I'm trying to put a command in
 a variable, but the complex cases always fail!

 Your escaping is wrong in any event.  You don't escape an apostrophe
 by putting another apostrophe in front of it.  I.e., this is NOT valid
 bash syntax:

  echo 'can''t'

 This is:

  echo 'can'\''t'

 Also, your parameter expansion is only handling the FIRST apostrophe
 in each argument.  That's surely not enough.

 As I said earlier: printf %q

 Is my code safe, or can someone maliciously choose arguments to
 as-echo.sh that could cause it (as-echo.sh) to do something other than
 write to stdout?

 imadev:~$ ./as-echo.sh ls can't';date'
  'ls' 'can''t';date''
 cant not found
 Mon May 11 08:19:33 EDT 2009

Is this exploitable?

2009-05-10 Thread Jon Seymour 
I am trying to parse untrusted strings and represent in a form that
would be safe to execute.

So assuming as-echo.sh defined as below for example:

cmd=echo
for a in $@
do
cmd=$cmd '${a/\'/''}'
done
echo $cmd
eval $cmd

Then:

as-echo.sh 'a' '$(foobar)' 'c'

would produce:

   echo 'a' '$b' 'c'
   a $b c

Is my code safe, or can someone maliciously choose arguments to
as-echo.sh that could cause it (as-echo.sh) to do something other than
write to stdout?

Can anyone point me to best practice for this kind of protection in bash?

jon.