elettrino via Bug reports for the GNU Bourne Again SHell <bug-bash@gnu.org> writes: > The following shows an example of bash testing a quoted string and as > a result executing a command embedded in the string. > > Here I used the command "id" to stand as an example of a command. The > output of id on this machine was as follows: > > user@machine:~$ id > uid=1519(user) gid=1519(user) groups=1519(user),100(users) > user@machine:~$ > > So to demonstrate: > > user@machine:~$ USER_INPUT='x[$(id>&2)]' > user@machine:~$ test -v "$USER_INPUT" > uid=1519(user) gid=1519(user) groups=1519(user),100(users) > user@machine:~$ > > This means that if variable USER_INPUT was indeed input from a user, > the user could execute an arbitrary command.
This is true, but two qualifications should be applied: 1. Executing "test -v" on user input doesn't make sense, as the variable-name space inside the shell isn't something the user should interact with. 2. It isn't a security problem, because the user could execute the command directly. I leave it to people more steeped in the aracana whether this action by "test -v" is an irregularity that should be changed. Dale
