Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4312e59a-2392-4405-8251-19ece737ff93@gentoo.org>
Date: Tue, 5 Nov 2024 23:42:07 -0500
From: Eli Schwartz <eschwartz@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: shell wildcard expansion (un)safety

On 11/5/24 11:12 PM, Solar Designer wrote:
> So there's no bug in the shells here, but bugs of this kind are common
> in shell usage (omitting the "--" argument where it's needed, usage of
> wildcard expansion where that is unnecessary, etc.)
> 
> Can the shells do anything to mitigate this?  I think not without
> breaking compatibility.  The only not-too-unreasonable change I can
> think of is wildcard expansion prefixing filenames with "./", maybe only
> those that start with "-" and maybe not when used with builtin "echo".


Well, to be fair the shell already does exactly this if you do

grep text ./*


> Since this didn't feel too unreasonable, I actually tested many shells
> to see whether any possibly already do this (with "/bin/echo *") - but I
> found none that do, at least not by default.  I expect this would break
> e.g. explicit comparisons of expanded filenames for equality (to some
> expected filenames the script or another program checks for later) and
> uses of the filesystem as poor man's database (which scripts sometimes
> do).  Maybe an opt-in mode or a future shell that doesn't need to stay
> 100% compatible with prior shells could do this, but even then I worry
> that it would encourage practices that would remain unsafe elsewhere.
> 
> I'll include some excerpts from the distros list discussion below:


No current shells are permitted to do it at all, if they are POSIX sh
compatible -- POSIX mandates a specific outcome:

https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_13_03

* cannot match the directory separator, it is not an option that
implementations are allowed to be flexible on, unless the shell
implements an opt-in mode such as bash's "globstar" that explicitly asks
for non-POSIX behavior. The issue then would become that no one would
remember or bother to set it, even if they wanted it. :)


-- 
Eli Schwartz


Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (237 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.