lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20031027164026.GA1165865@ohm.arago.de>
From: full-disclosure at arago.de (Thomas Binder)
Subject: sh-httpd `wildcard character' vulnerability

Hi!

On Mon, Oct 27, 2003 at 10:42:45PM +0800, dong-h0un U wrote:
> [...]
>  bname() {
>         local IFS='/'
> -       set -- $1
> +       set -- "$1"
>         eval rc="\$$#"
>         [ "$rc" = "" ] && eval rc="\$$(($# - 1))"
>         echo "$rc"

Mhmm, doesn't that break things, as $# will always be 1 if you do

set -- "$some_variable"

no matter how many instances of $IFS there are in $some_variable:

$ foo="/a/b/c/d"
$ IFS='/'
$ set -- "$foo"
$ echo $#
1
$ echo "$1"
a/b/c/d

Actually, $# should be 4 and $1 should be "a"

I'd rather suggest using

set -f
set -- $some_variable
set +f

to disable wildcard expansion for the set-statement:

$ foo="/var/tmp/*"
$ IFS='/'
$ set -f
$ set $foo
$ set +f
$ echo $#
3
$ echo "1: $2, 2: $2, 3: $3"
1: tmp, 2: tmp, 3: *


Ciao

Thomas

Powered by blists - more mailing lists