arbitrary code execution
Bug #1411318 reported by
Phillip Sz
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
bash (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
"The problem with bash's name references
Bash 4.3 introduced declare -n ("name references") to mimic Korn shell's nameref feature, which permits variables to hold references to other variables (..). Unfortunately, the implementation used in Bash has some issues.
{…} Bash's name reference implementation still allows arbitrary code execution:
$ foo() { declare -n var=$1; echo "$var"; }
$ foo 'x[i=$(date)]'
bash: i=Thu Mar 27 16:34:09 EDT 2014: syntax error in expression (error token is "Mar 27 16:34:09 EDT 2014")
It's not an elegant example, but you can clearly see that the date command was actually executed. This is not at all what one wants."
information type: | Private Security → Public Security |
description: | updated |
description: | updated |
To post a comment you must log in.
Have you reported this issue to the upstream bash developers?