Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4312e59a-2392-4405-8251-19ece737ff93@gentoo.org>
Date: Tue, 5 Nov 2024 23:42:07 -0500
From: Eli Schwartz <eschwartz@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: shell wildcard expansion (un)safety

On 11/5/24 11:12 PM, Solar Designer wrote:
> So there's no bug in the shells here, but bugs of this kind are common
> in shell usage (omitting the "--" argument where it's needed, usage of
> wildcard expansion where that is unnecessary, etc.)
> 
> Can the shells do anything to mitigate this?  I think not without
> breaking compatibility.  The only not-too-unreasonable change I can
> think of is wildcard expansion prefixing filenames with "./", maybe only
> those that start with "-" and maybe not when used with builtin "echo".


Well, to be fair the shell already does exactly this if you do

grep text ./*


> Since this didn't feel too unreasonable, I actually tested many shells
> to see whether any possibly already do this (with "/bin/echo *") - but I
> found none that do, at least not by default.  I expect this would break
> e.g. explicit comparisons of expanded filenames for equality (to some
> expected filenames the script or another program checks for later) and
> uses of the filesystem as poor man's database (which scripts sometimes
> do).  Maybe an opt-in mode or a future shell that doesn't need to stay
> 100% compatible with prior shells could do this, but even then I worry
> that it would encourage practices that would remain unsafe elsewhere.
> 
> I'll include some excerpts from the distros list discussion below:


No current shells are permitted to do it at all, if they are POSIX sh
compatible -- POSIX mandates a specific outcome:

https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_13_03

* cannot match the directory separator, it is not an option that
implementations are allowed to be flexible on, unless the shell
implements an opt-in mode such as bash's "globstar" that explicitly asks
for non-POSIX behavior. The issue then would become that no one would
remember or bother to set it, even if they wanted it. :)


-- 
Eli Schwartz


Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (237 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.