If you run
echo "$((v))"
and v is a user supplied variable.
If the user put a specific string in v, he can execute whatever he wants
in the name of the script, because echo "$((v))" will run that code.
Am 6/4/2019 um 4:29 PM schrieb Chet Ramey:
On 6/4/19 7:42 AM, Nils Emmerich wrote:
Bash Version: 5.0
Patch Level: 0
Release Status: release
Description:
It is possible to get code execution via a user supplied variable
in the mathematical context.
I don't know if this is considered a bug or not, but if not, I
think people should be made aware that the mathematical context is unsafe.
The tokens in a mathematical expression undergo a set of word expansions.
If you could post the example you're using we can analyze its behavior.
--
Nils Emmerich
ERNW Research GmbH
Carl-Bosch-Str. 4
69115 Heidelberg
www.ernw.de
Tel. +49 6221 480390 (Sekretariat)
Handelsregister Mannheim HRB 723285
Geschäftsführer: Dr.-Ing. Andreas Dewald
Blog: www.insinuator.net
Conference: www.troopers.de
