Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CABEVAa0+EE0M3Q2wwpOSX0-VCw95xSjZV-1S4u7hSYY9K=YK7w@mail.gmail.com>
Date: Fri, 8 Nov 2024 23:02:21 +0100
From: Dominik Czarnota <dominik.b.czarnota@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: shell wildcard expansion (un)safety

This is known since even earlier by the article/disclosure „unix wildcards
gone wild”:
https://seclists.org/fulldisclosure/2014/Jun/136

The original article link seems to not work but it can be seen e.g. here:
https://github.com/Gandosha/gandosha.github.io/blob/master/DefenseCode_Unix_WildCards_Gone_Wild.txt

It shows that in some cases this can lead to code execution, e.g. with „tar
*”

On Fri, 8 Nov 2024 at 18:47, Georgi Guninski <gguninski@...il.com> wrote:

> This is known since at least 2019, but the distro list can't tell
> vulnerability from a rant [1] [2]
>
> `grep text -- *` is not portable solution, since not all warez recognize
> --.
>
> e.g.:
>
> $find . --
> find: unknown predicate `--'
>
>
> [1] Shell wildcards considered dangerous?
> https://seclists.org/oss-sec/2019/q4/133
>
> [2]
> https://www.linkedin.com/pulse/careful-wildcards-linux-rm-georgi-guninski-ieaif
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.