On 19/11/2021 10:53, Marshall Whittaker wrote:
You could argue that bash should parse filenames globbed from * that start with - and exclude them specifically, so I'll have to respectfully disagree.
One could, but it would not make for a compelling argument. Define GLOBIGNORE, if you insist.
Also, it is not the programs doing the parsing of *, that is a
function of bash. Try typing * in just your terminal/command line and see what happens
Yes. However, the presented 'exploit' hinges upon the behaviour of a selected external program. Luckily for you, any that uses getopt(3) will support -- as a means of concluding option recognition, rm(1) included. In the case that you are using a program where option arguments cannot be reliably separated from non-option arguments, specifying the glob as ./* will commonly suffice.
A short whitepaper on it has been made public at: https://oxagast.org/posts/bash-wildcard-expansion-arbitrary-command-line-arguments-0day/ complete with a mini Po
It's perplexing that your post relies upon the use of -- to get the point across, without acknowledging its import. At any rate, this does not constitute a vulnerability on the part of bash, much less a zero-day.
-- Kerin Millar
