Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <edf6e2e9-0ad3-4c50-b85b-7b6d6fa835ea@gmail.com>
Date: Thu, 7 Nov 2024 22:48:58 +0700
From: Max Nikulin <manikulin@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: shell wildcard expansion (un)safety


On 06/11/2024 11:12, Solar Designer wrote:
> The only not-too-unreasonable change I can
> think of is wildcard expansion prefixing filenames with "./", maybe only
> those that start with "-" and maybe not when used with builtin "echo".

Even this technique might have consequences unexpected by script
authors, see

<https://mywiki.wooledge.org/BashPitfalls#pf42>:
> Bash Pitfalls: 42. for file in ./* ; do if [[ $file != *.* ]]

> In the case of a pattern like *.* however, problems can arise because it
> matches a string of the form ./filename. In a simple case, you can just
> use the glob directly to generate the desired matches. If however a
> separate pattern-matching step is required (e.g. the results have been
> preprocessed and stored in an array, and need to be filtered), it could
> be solved by taking the prefix into account in the pattern:
> [[ $file != ./*.* ]], or by stripping the pattern from the match.

> # Bash
> shopt -s nullglob
> for path in ./*; do
>     [[ ${path##*/} != *.* ]] && rm "$path"
> done
> 
> # Or even better
> for file in *; do
>     [[ $file != *.* ]] && rm "./$file"
> done
> 
> # Or better still
> for file in *.*; do
>     rm "./$file"
> done

The original issue is #3 in this list:
<https://mywiki.wooledge.org/BashPitfalls#pf3>
"Filenames with leading dashes"
It is discussed in the pitfall #2 and some
<https://mywiki.wooledge.org/BashFAQ>
entries.

I am not trying to dispute that expanding leading dash to "./-" by 
default may be an improvement. However there should be a way to disable 
it in specific cases.

P.S. More and more tools are getting support of CLI options to format
output as JSON when it necessary to parse it by another program.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.