On Tue, Jan 12, 2010 at 02:20:36PM +0100, Xyne wrote:
I was brainstorming to think of possible exploits. It looks like this is valid syntax:
echo normal stuff exit 0 any funky stuff I want pkgver=#$#%$%%^&^$@#$$@^ } more funky stuff {
Running bash -n on that gives 0. Now there's not necessarily anything wrong here---unless your parser doesn't stop parsing at the exit command. If it goes past that, then maybe exploits could be introduced, because we wouldn't be entitled to the assumption that the rest of the code is valid syntax.
I haven't tested that but I don't think it would be an issue. As long as it doesn't break out of the function declaration, it shoulld work and afaik, you can include "exit" inside a function. I'm not a Bash expert though, so correct me if I'm wrong.
Yes, there's not necessarily a problem here. The wrapper function you construct would be syntactically valid and would execute fine. (It would exit whatever shell it's executed in.) I mention it to point out that you have to be careful regexping through the source (even the Bash-canonically-formatted source) of a function that Bash says is syntactically valid. There may be parts of that source that you assume to be valid Bash but which aren't, because they come after an exit. There may be other ways to do this too, e.g., with an exec. E.g.: TESTFILE=$(cat <<"EOF" echo normal stuff exit 0 any funky stuff I want pkgver=#$#%$%%^&^$@#$$@^ } more funky stuff { EOF ) WRAPPED=$'wrapper() {\n'"$TESTFILE"$'\n}' bash -n <<< "$WRAPPED" echo $? # prints 0 bash <<< "$WRAPPED"$'\ntype wrapper' prints: ======= wrapper is a function wrapper () { echo normal stuff; exit 0; any funky stuff I want; pkgver=#$#%$%%^ & ^$@#$$@^ } more funky stuff { } The garbage comes out in the output of `set` too, as well as `type wrapper`. Now if you try regexping that, without truly parsing it, you may if you're not careful find yourself processing the garbage at the end. That may make exploits possible. I like the approach you're using, but this loophole occurred to me and I thought you should know about it. You'll have to decide whether it's worth protecting against. But that makes salient the question of what advantage you're aiming to get by what you're doing rather than just checking the PKGBUILD with bash -n and if that works, sourcing it with some appended echos to print out the variables we're interested in. One possible advantage would be to protect against malicious stuff. If that's your aim, then you should be protecting against exploits like this may make possible. -- Jim Pryor profjim@jimpryor.net