arbitrary code execution
Bug #1411318 reported by
Phillip Sz
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| bash (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
"The problem with bash's name references
Bash 4.3 introduced declare -n ("name references") to mimic Korn shell's nameref feature, which permits variables to hold references to other variables (..). Unfortunately, the implementation used in Bash has some issues.
{…} Bash's name reference implementation still allows arbitrary code execution:
$ foo() { declare -n var=$1; echo "$var"; }
$ foo 'x[i=$(date)]'
bash: i=Thu Mar 27 16:34:09 EDT 2014: syntax error in expression (error token is "Mar 27 16:34:09 EDT 2014")
It's not an elegant example, but you can clearly see that the date command was actually executed. This is not at all what one wants."
| information type: | Private Security → Public Security |
| description: | updated |
Revision history for this message
| Marc Deslauriers (mdeslaur) wrote | #1 |
| Changed in bash (Ubuntu): | |
| status: | New → Confirmed |
| description: | updated |
Revision history for this message
| Phillip Sz (phillip-sz) wrote | #2 |
Revision history for this message
| Phillip Sz (phillip-sz) wrote | #3 |
To post a comment you must log in.
Have you reported this issue to the upstream bash developers?