← Back to context

Comment by chubot

7 days ago

It’s a design mistake because it adds exactly zero functionality.

The only thing it adds is insecurity.

If the feature didn’t exist, then it wouldn’t need to be documented, and the world would be better.

14 comments

chubot

Reply

blueflow 6 days ago

[flagged]

chubot 6 days ago
I think you missed the original point, which is that joining argv is equivalent to
sh -c "$1 $2 $3 $4 ..."
This is a form of shell injection, just like
sh -c "ls $dir"
because there's interpolation WITHOUT escaping.
That should be:
dir=$(escape "$dir") sh -c "ls $dir"
Or simply
ls "$dir"
It's not my preconception -- it's a security problem.
It's similar to ShellShock -- you can argue it was documented behavior, but it's still a security problem.
- blueflow 6 days ago
  
  The interpolation is not the security problem, the problem is the user not quoting their data.
  It's similar to curl CWE-93[1], where it was documented and in-use behavior and consequently was rejected as a security problem.
  Example for ssh:
  ssh host ls "$(quote "$dir")"
  [1] https://hackerone.com/reports/3133379
  
  11 replies →