Re: Is this exploitable?
On Mon, May 11, 2009 at 10:35:18AM +1000, Jon Seymour wrote: I am trying to parse untrusted strings and represent in a form that would be safe to execute. printf %q cmd=echo for a in $@ do cmd=$cmd '${a/\'/''}' done echo $cmd eval $cmd http://mywiki.wooledge.org/BashFAQ/050 - I'm trying to put a command in a variable, but the complex cases always fail! Your escaping is wrong in any event. You don't escape an apostrophe by putting another apostrophe in front of it. I.e., this is NOT valid bash syntax: echo 'can''t' This is: echo 'can'\''t' Also, your parameter expansion is only handling the FIRST apostrophe in each argument. That's surely not enough. As I said earlier: printf %q Is my code safe, or can someone maliciously choose arguments to as-echo.sh that could cause it (as-echo.sh) to do something other than write to stdout? imadev:~$ ./as-echo.sh ls can't';date' 'ls' 'can''t';date'' cant not found Mon May 11 08:19:33 EDT 2009
Re: Is this exploitable?
Yes, I realised that I should have at least used // after I posted, not that that would have been sufficient. Thanks for the solution. jon. On Mon, May 11, 2009 at 10:20 PM, Greg Wooledge wool...@eeg.ccf.org wrote: On Mon, May 11, 2009 at 10:35:18AM +1000, Jon Seymour wrote: I am trying to parse untrusted strings and represent in a form that would be safe to execute. printf %q cmd=echo for a in $@ do cmd=$cmd '${a/\'/''}' done echo $cmd eval $cmd http://mywiki.wooledge.org/BashFAQ/050 - I'm trying to put a command in a variable, but the complex cases always fail! Your escaping is wrong in any event. You don't escape an apostrophe by putting another apostrophe in front of it. I.e., this is NOT valid bash syntax: echo 'can''t' This is: echo 'can'\''t' Also, your parameter expansion is only handling the FIRST apostrophe in each argument. That's surely not enough. As I said earlier: printf %q Is my code safe, or can someone maliciously choose arguments to as-echo.sh that could cause it (as-echo.sh) to do something other than write to stdout? imadev:~$ ./as-echo.sh ls can't';date' 'ls' 'can''t';date'' cant not found Mon May 11 08:19:33 EDT 2009
Is this exploitable?
I am trying to parse untrusted strings and represent in a form that would be safe to execute. So assuming as-echo.sh defined as below for example: cmd=echo for a in $@ do cmd=$cmd '${a/\'/''}' done echo $cmd eval $cmd Then: as-echo.sh 'a' '$(foobar)' 'c' would produce: echo 'a' '$b' 'c' a $b c Is my code safe, or can someone maliciously choose arguments to as-echo.sh that could cause it (as-echo.sh) to do something other than write to stdout? Can anyone point me to best practice for this kind of protection in bash? jon.