lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 20 Sep 2011 14:31:28 -0400
From: Valdis.Kletnieks@...edu
To: Kirils Solovjovs <kirils.solovjovs@...ils.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Possibility to exploit bash "*" processing

On Tue, 20 Sep 2011 13:29:11 +0300, Kirils Solovjovs said:
> Brought this up a year ago. Seems that no attention has been given to
> this so far.

Probably because anybody who's used the various Bourne-style shells for a while
considers it a feature, not a bug.  This is a case where the Principle of Least
Surprise comes up with different answers for novice users and for experts:
"What? A * can expand into an unintended command argument?" "Yeah, what *else*
would it do - the shell is just globbing, it doesn't know for sure what the
command will do with the parameter".

Multics had an alternate solution for this issue - when you issued a command,
it would get invoked right then and there and take over terminal input and
allow guided completions knowing what the command syntax was (think "love child
of getopt and readline" ;) Of course, this doesn't play well with pipes,
especially if the pipe further down the line has a redirection that fails. 

> One solution would be to modify "*" processing so that it ignores
> filenames that start "-" similarly as it ignores filenames that start
> with "."'

No, you don't want to do that.  You want to provide an *optional*
flag, similar to the shopt settings for 'dotglob', 'extglob', 'failglob', 'globstar',
'nocaseglob', and 'nullglob'.

Having said that, a 'shopt dashglob' shouldn't be too hard to implement,
as you can do 98% of it based on the already-existing 'dotglob' code, and
that's probably the way to address the issue.

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists