oss-security - Re: shell wildcard expansion (un)safety

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <ZyukRn2-8UWsW7aX@nihonium>
Date: Wed, 6 Nov 2024 18:15:50 +0100
From: Fay Stegerman <flx@...usk.net>
To: oss-security@...ts.openwall.com
Subject: Re: shell wildcard expansion (un)safety

* Eli Schwartz <eschwartz@...too.org> [2024-11-06 05:42]:
> On 11/5/24 11:12 PM, Solar Designer wrote:
> > So there's no bug in the shells here, but bugs of this kind are common
> > in shell usage (omitting the "--" argument where it's needed, usage of
> > wildcard expansion where that is unnecessary, etc.)
> > 
> > Can the shells do anything to mitigate this?  I think not without
> > breaking compatibility.  The only not-too-unreasonable change I can
> > think of is wildcard expansion prefixing filenames with "./", maybe only
> > those that start with "-" and maybe not when used with builtin "echo".
> 
> Well, to be fair the shell already does exactly this if you do
> 
> grep text ./*

And shellcheck will warn about this kind of bug and suggest doing exactly that
or using "--":

$ cat x.sh
#!/bin/bash
grep text *

$ shellcheck x.sh
In x.sh line 2:
grep text *
          ^-- SC2035 (info): Use ./*glob* or -- *glob* so names with dashes won't become options.
For more information:
  https://www.shellcheck.net/wiki/SC2035 -- Use ./*glob* or -- *glob* so name...

- Fay

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.