oss-sec mailing list archives
Re: Shell wildcards considered dangerous?
From: Noel Kuntze <noel.kuntze+oss-security@thermi.consulting>
Date: Mon, 9 Dec 2019 18:30:22 +0100
Hello Leonid, I was referring to my own message, not the original one by Georgi. Kind regards Noel Am 09.12.19 um 17:46 schrieb Leonid Isaev:
On Mon, Dec 09, 2019 at 04:28:35PM +0100, Noel Kuntze wrote:The message was about the attack vector on applications that put together argument vectors based on user input, not specifically about human use of the shell.Then, why in "tar xf *.tar" the "*" is expected to mean anything other than a literal * (0x2a)? It is because of the shell globbing: "tar xf ./*.tar" will work without any "--". For example: -----8<----- $ echo -E "xxx" > "-b xxx.qwetr" $ file *.qwetr file: invalid option -- ' ' file: invalid option -- 'x' file: invalid option -- 'x' file: invalid option -- 'x' file: invalid option -- '.' file: invalid option -- 'q' file: invalid option -- 'w' Usage: file [-bcCdEhikLlNnprsvzZ0] [--apple] [--extension] [--mime-encoding] [--mime-type] [-e <testname>] [-F <separator>] [-f <namefile>] [-m <magicfiles>] [-P <parameter=value>] <file> ... file -C [-m <magicfiles>] file [--help] $ $ file ./*.qwetr ./-b xxx.qwetr: ASCII text ----->8----- Sincerely, L.
-- Noel Kuntze IT security consultant GPG Key ID: 0x0739AD6C Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
Current thread:
- Shell wildcards considered dangerous? Georgi Guninski (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)