Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <21a818cc-d665-43a7-8ff0-c23769f6da04@gentoo.org>
Date: Sat, 9 Nov 2024 18:59:01 -0500
From: Eli Schwartz <eschwartz@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: shell wildcard expansion (un)safety

On 11/8/24 5:02 PM, Dominik Czarnota wrote:
> This is known since even earlier by the article/disclosure „unix wildcards
> gone wild”:
> https://seclists.org/fulldisclosure/2014/Jun/136
> 
> The original article link seems to not work but it can be seen e.g. here:
> https://github.com/Gandosha/gandosha.github.io/blob/master/DefenseCode_Unix_WildCards_Gone_Wild.txt
> 
> It shows that in some cases this can lead to code execution, e.g. with „tar
> *”


The earliest version of the Bash Pitfalls guide that includes a warning
about the topic, per the Wayback Machine:

https://web.archive.org/web/20090426020027/https://mywiki.wooledge.org/BashPitfalls#Filenames_with_leading_dashes


Overall, wildcards are just a classic "here is a programming language
footgun, we cannot fix it because the language is backwards compatible
to the 90s and earlier" which amounts to:

people love bash because it's "simple" and "easy" and "anyone can write
a bash script without knowing what they are doing".

Of course, the problem is that people who don't know what they are doing
can then write software (sometimes running as root, other times simply
as any permission context with access to sensitive info), which is quite
dangerous -- people who don't know what they are doing often write
security vulnerabilities in many languages, but it's particularly easy
to do so in a language that by definition lacks rigorous parsing, makes
it challenging to have error conditions be fatal, and is for the most
part designed to take any erroneous code you throw at it and do its best
to execute as much of that code as it can, even if lots of it doesn't
really parse correctly.

... wait a minute, are we talking about PHP after all?


-- 
Eli Schwartz


Download attachment "OpenPGP_signature.asc" of type "application/pgp-signature" (237 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.