Vulnerability Development mailing list archives
Re: Unix * weirdness
From: imp () VILLAGE ORG (Warner Losh)
Date: Sat, 1 Jan 2000 21:22:52 -0700
In message <386EC85E.61F6F9C7 () thievco com> Blue Boar writes: : I got a lot of replies suggesting these two methods. I believe I tried : single-quoting the filename too, but that didn't work, which surprised me. This doesn't suprise me. All you are doing by this is protecting things against shell expansion. Shell passes "-test" to rm if you invoke it in any of the following ways: rm -test rm '-test' rm \-test rm "-test" : How about if there's a space in front? Like I said in other mail, after the globbing happens, the shell DOES NOT rescan the line, so there is no vulnerability. If we had a file named 'fred bob' and '-rf /', then rm * would result in the shell calling[*] rm with the following args "rm" "-rf /" "fred bob" NULL rm would see the first arg and getopt would try the 'r' flag, the 'f' flag, the ' ' flag and the '/' flag. The - at the beginning of the arg causes all of the characters to be treated as single character arguements. : That's what I wanted to know. So why does the shell escape those, : and not the - ? What can't I single-quote around or manually escape : the - ? (using /bin/sh in my examples.) Someone know the section : of shell source code that does this part off of the top of their head? Because the shell doesn't consider - special[**]. It doesn't do anything with - except pass it along. So if you quote it, it will still pass it along. There's nothing to expand. Quoting to protect something from the shell doesn't have any effect on those things that the shell doesn't use. Warner [*] Ok, shell calls execvp(2) or some other variant. [**] OK, shell does use '-' for [a-z]-like phrases, but that's not what we're talking about.
Current thread:
- Unix * weirdness Blue Boar (Jan 01)
- Re: Unix * weirdness Yong S. Yi (Jan 01)
- Re: Unix * weirdness Forever shall I be. (Jan 01)
- Re: Unix * weirdness Blue Boar (Jan 01)
- Re: Unix * weirdness Warner Losh (Jan 01)
- Re: Unix * weirdness Bernie Cosell (Jan 01)
- Re: Unix * weirdness Blue Boar (Jan 01)
- iishack/tesoiis.c - What's wrong ? Ory Segal (Jan 03)
- Re: iishack/tesoiis.c - What's wrong ? Seth Georgion (Jan 03)
- Re: iishack/tesoiis.c - What's wrong ? The Underground Legendary Emperor (Jan 04)
- Re: Unix * weirdness Blue Boar (Jan 01)
- Re: Unix * weirdness Blue Boar (Jan 01)
- <Possible follow-ups>
- Re: Unix * weirdness Pierre Belanger (Jan 01)
- Re: Unix * weirdness Scott Hardy (Jan 01)