[10325] in bugtraq
Re: Bash Bug
daemon@ATHENA.MIT.EDU (Daniel Jacobowitz)
Thu Apr 22 18:46:58 1999
Mail-Followup-To: Guy Cohen <guy@SPICE.ORG.IL>, BUGTRAQ@netspace.org
Date: Thu, 22 Apr 1999 17:43:24 -0400
Reply-To: Daniel Jacobowitz <drow@FALSE.ORG>
From: Daniel Jacobowitz <drow@FALSE.ORG>
X-To: Guy Cohen <guy@SPICE.ORG.IL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990423000257.A102@spice.org.il>; from Guy Cohen on Fri,
Apr 23, 1999 at 12:02:57AM +0300
On Fri, Apr 23, 1999 at 12:02:57AM +0300, Guy Cohen wrote:
> Unfortunately this is not true. here is why:
> rush:/tmp> bash --version
> GNU bash, version 2.03.0(1)-release (i586-pc-linux-gnu)
> Copyright 1998 Free Software Foundation, Inc.
> rush:/tmp> bash
> bash-2.03$ echo $PS1
> \s-\v\$
> bash-2.03$ cat ~/.rhosts
> cat: /export/home/guy/.rhosts: No such file or directory
> bash-2.03$ mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
> bash-2.03$ cd \\\ \ /
> bash-2.03$ cat /export/home/guy/.rhosts\
> + +
> sh-2.03$
That's a quoting error. Look at the mkdir command you typed, and
observe that the backticks are not escaped - thus even inside of ""
they are evaluated.
Witness:
$ ls /drow/.rh*
ls: /drow/.rh*: No such file or directory
$ echo $PS1
\$
$ mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
$ ls /drow/.rhosts\
/drow/.rhosts
It doesn't even get .rhosts right - there's a space at the end. You
told bash to make the directory:
`echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ `
Dan
/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| CMU, CS class of 2002 |
| Debian GNU/Linux Developer __ Part-Time Systems Programmer |
| dan@debian.org | | drow@cs.cmu.edu |
\--------------------------------/ \--------------------------------/
