Re: Expanding environment variables

From: Barry Margolin (barry.margolin_at_level3.com)
Date: 05/30/03

• Next message: Dhek Bhun Kho: "Re: semaphors"
• Previous message: Valentin Nechayev: "Re: Expanding environment variables"
• In reply to: Valentin Nechayev: "Re: Expanding environment variables"
• Next in thread: Stephane CHAZELAS: "Re: Expanding environment variables"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 30 May 2003 19:07:44 GMT

In article <20030530182741.GA1169@iv.nn.kiev.ua>,
Valentin Nechayev <netch@segfault.kiev.ua> wrote:
>>>> Barry Margolin wrote:
>
>>PB>> And of course you should be cautious with the possible security risk,
>>PB>> because the user could as well write MY_LOG_FILE = `rm -rf /` and you
>>PB>> would not want to run popen("/bin/bash -c 'echo `rm -rf /`'")...
>>>*Why* log file should be executed (placed in `...`) ??
>>>It must not, and I can't see what you found here.
>BM> If you use the shell to expand environment variables, it will also process
>BM> any other shell metacharacters. So if the config file contains backtick
>BM> characters,
>
>OK, I missed that backticks were already in file "name".
>
>BM> the commands inside them would be executed because that's what
>BM> the shell does with backticks.
>
>So, as tilde expansion requires unmasked tilde, it isn't reasonable to pass
>it to shell: distinguishing between tilde and non-tilde cases and masking
>in latter is as complicated as embedded tilde expansion.

Right. Whether this is important depends on the trust relationship between
the user running the application and the users who can edit the config
file. If the config file owner is the same as the person running the
application, then he can only hurt himself by doing this, but if other
users can edit the config file then they can use it as a way to hack him.

-- 
Barry Margolin, barry.margolin@level3.com
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

• Next message: Dhek Bhun Kho: "Re: semaphors"
• Previous message: Valentin Nechayev: "Re: Expanding environment variables"
• In reply to: Valentin Nechayev: "Re: Expanding environment variables"
• Next in thread: Stephane CHAZELAS: "Re: Expanding environment variables"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Expanding environment variables ... BM> any other shell metacharacters. ... So if the config file contains backtick ... I missed that backticks were already in file "name". ... So, as tilde expansion requires unmasked tilde, it isn't reasonable to pass ... (comp.unix.programmer) Re: Debian & FD Limit ... As long as there is not a real control software for it, ... login binary's configuration. ... I want to do it the debian way: a config file. ... >> then exit the shell, you find that the cd didn't affect your current ... (comp.os.linux.setup) Re: Problem with my Else statement ... and the shell would be ... if the .vnc config file is not located in its default location ... >> Dim sStr As String, bFound As Boolean ... (microsoft.public.excel.programming) Re: best way to have a script read a config file? ... a one-line config file e.g. ... Iirc the 'while' construct spawns a new shell and vars will not ... There are several solution to circumvent this using bash: ... (comp.unix.shell) Re: Handling of shell builtins in make(1) ... > MO> we should define them in bsd.sys.mk or some other config file. ... --show-builtins) and use that in the absence of an explicit .SHELL. ... I think it's more that hardcoding a list of builtins is undesirable. ... "Computer games don't affect kids; I mean if Pac-Man affected us as kids, ... (freebsd-arch)

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint