On Sunday 27 Mar 2011, Joachim Breitner wrote: > Am Sonntag, den 27.03.2011, 08:16 +0530 schrieb Raj Mathur (राज माथुर): > > Both are unsafe. Consider the user who enters his username as > > > > (literally): > > Raj `rm -rf /`Mathur > > > > Then your grep command translates to: > > grep -q "^Raj `rm -rf /`Mathur$" present > > > > and if your app is running as root, voila! no more files on your > > system! The user is marked present too :) > > > > The OP needs to do much more thinking about input sanitisation. > > No, this line is safe with > $ fgrep -qx "$USER" present > > Thanks to the quotes around $USER, the `...` part would not be > executed. But the quotes should be around every use of USER, in the > later part of the code your exploit works.
As Binand pointed out in personal mail, you are absolutely correct and the shell will not interpret `...` commands in a variable read from a user. My apologies. Regards, -- Raj -- Raj Mathur [email protected] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance & Chill: http://schizoid.in/ || It is the mind that moves -- http://mm.glug-bom.org/mailman/listinfo/linuxers
