On 11/14/16 1:37 PM, Clint Hepner wrote:
> Bash Version: 4.4
> Patch Level: 0
> Release Status: release
>
> Description:
>
> ${...@P} expansion allows arbitrary code to run. This might
> be intentional, as it is how prompt strings work, but it
> does feel like an understated security risk.
>
>
> Repeat-By:
>
> $ foo='$(echo hello)'
> $ echo "${foo}"
> $(echo hello)
> $ echo "${foo@P}"
> hello
>
>
>
> Fix:
> The man page might explicitly state that command substitutions
> in the value of the expanded parameter will be executed.
The question is how many different places you want to have the same
information. The description of @P already contains a pointer to the
PROMPTING section, which explicitly lists command substitution as one
of the expansions prompt strings undergo.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU c...@case.edu http://cnswww.cns.cwru.edu/~chet/
