Comment by chubot
6 days ago
I think you missed the original point, which is that joining argv is equivalent to
sh -c "$1 $2 $3 $4 ..."
This is a form of shell injection, just like
sh -c "ls $dir"
because there's interpolation WITHOUT escaping.
That should be:
dir=$(escape "$dir")
sh -c "ls $dir"
Or simply
ls "$dir"
It's not my preconception -- it's a security problem.
It's similar to ShellShock -- you can argue it was documented behavior, but it's still a security problem.
The interpolation is not the security problem, the problem is the user not quoting their data.
It's similar to curl CWE-93[1], where it was documented and in-use behavior and consequently was rejected as a security problem.
Example for ssh:
[1] https://hackerone.com/reports/3133379
No, the problem is that even if you quote your data, ssh unquotes it, so you have to quote it twice.
> ssh unquotes it
ssh does not unquote. Its the local shell, if you are invoking ssh via execv, this does not apply.
7 replies →
And yet it keeps happening. An engineering field grows up when people stop assigning blame, and start searching for solutions.
I just posted one way how to do it correctly.
And research (aka: consulting the manpage) is an essential part of engineering. Doing that would also solve the problem.