← Back to context Comment by blueflow 6 months ago [flagged] 13 comments blueflow Reply chubot 6 months ago I think you missed the original point, which is that joining argv is equivalent to sh -c "$1 $2 $3 $4 ..." This is a form of shell injection, just like sh -c "ls $dir" because there's interpolation WITHOUT escaping.That should be: dir=$(escape "$dir") sh -c "ls $dir" Or simply ls "$dir" It's not my preconception -- it's a security problem.It's similar to ShellShock -- you can argue it was documented behavior, but it's still a security problem. blueflow 6 months ago The interpolation is not the security problem, the problem is the user not quoting their data.It's similar to curl CWE-93[1], where it was documented and in-use behavior and consequently was rejected as a security problem.Example for ssh: ssh host ls "$(quote "$dir")" [1] https://hackerone.com/reports/3133379 immibis 6 months ago No, the problem is that even if you quote your data, ssh unquotes it, so you have to quote it twice. 8 replies → Filligree 6 months ago And yet it keeps happening. An engineering field grows up when people stop assigning blame, and start searching for solutions. 1 reply →
chubot 6 months ago I think you missed the original point, which is that joining argv is equivalent to sh -c "$1 $2 $3 $4 ..." This is a form of shell injection, just like sh -c "ls $dir" because there's interpolation WITHOUT escaping.That should be: dir=$(escape "$dir") sh -c "ls $dir" Or simply ls "$dir" It's not my preconception -- it's a security problem.It's similar to ShellShock -- you can argue it was documented behavior, but it's still a security problem. blueflow 6 months ago The interpolation is not the security problem, the problem is the user not quoting their data.It's similar to curl CWE-93[1], where it was documented and in-use behavior and consequently was rejected as a security problem.Example for ssh: ssh host ls "$(quote "$dir")" [1] https://hackerone.com/reports/3133379 immibis 6 months ago No, the problem is that even if you quote your data, ssh unquotes it, so you have to quote it twice. 8 replies → Filligree 6 months ago And yet it keeps happening. An engineering field grows up when people stop assigning blame, and start searching for solutions. 1 reply →
blueflow 6 months ago The interpolation is not the security problem, the problem is the user not quoting their data.It's similar to curl CWE-93[1], where it was documented and in-use behavior and consequently was rejected as a security problem.Example for ssh: ssh host ls "$(quote "$dir")" [1] https://hackerone.com/reports/3133379 immibis 6 months ago No, the problem is that even if you quote your data, ssh unquotes it, so you have to quote it twice. 8 replies → Filligree 6 months ago And yet it keeps happening. An engineering field grows up when people stop assigning blame, and start searching for solutions. 1 reply →
immibis 6 months ago No, the problem is that even if you quote your data, ssh unquotes it, so you have to quote it twice. 8 replies →
Filligree 6 months ago And yet it keeps happening. An engineering field grows up when people stop assigning blame, and start searching for solutions. 1 reply →
I think you missed the original point, which is that joining argv is equivalent to
This is a form of shell injection, just like
because there's interpolation WITHOUT escaping.
That should be:
Or simply
It's not my preconception -- it's a security problem.
It's similar to ShellShock -- you can argue it was documented behavior, but it's still a security problem.
The interpolation is not the security problem, the problem is the user not quoting their data.
It's similar to curl CWE-93[1], where it was documented and in-use behavior and consequently was rejected as a security problem.
Example for ssh:
[1] https://hackerone.com/reports/3133379
No, the problem is that even if you quote your data, ssh unquotes it, so you have to quote it twice.
8 replies →
And yet it keeps happening. An engineering field grows up when people stop assigning blame, and start searching for solutions.
1 reply →