-----Original Message----- From: fedora-list-bounces@xxxxxxxxxx on behalf of Luciano Rocha Sent: Wed 10/03/2007 02:18 PM To: fedora-list@xxxxxxxxxx Cc: Subject: Re: shell variable security On Wed, Oct 03, 2007 at 06:01:59PM +0000, tony.chamberlain@xxxxxxxxx wrote: > > > I guess I was asking in general how you can be sure your variables are safe. > Maybe it is more complicated than that? I really have just heard warnings from > everyone, so I was taking pre-emptive measures. > > I tried a few things myself too and also could not get that problem. > > I tried making a file called test and doing things like > > K="$1" > echo $K > > > and then calling > > test "hello\";date" > > a nd > FIL="$1" > ls $FIL > > but that seemed to be OK > test "hello /etc/* bye" Is one instance where the expansion is performed (with ls & echo). That will cause problems with things like rm, etc. ------------------------------- Ok... I modified by test case to use `rm` instead of echo: while read line; do rm $line done And the ';' still gets automatically quoted. So when I entered 'a; date', it tried to delete the file 'a;' and the file 'date', neither existed. % bash -x x.sh + read line a; date + rm 'a;' date rm: cannot remove `a;': No such file or directory rm: cannot remove `date': No such file or directory + read line Getting back the OP concern, this becomes much more critical when constructing database queries with user supplied data. Intent: select * from users where name = "$input"; Exploit: (user provided data in {}) select * from users where name = "{JON"; DELETE FROM USERS WHERE "X" = "X}";
<<winmail.dat>>
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list