Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Yes, dangerous.' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Yes, dangerous.
Authored by: stewby on Aug 31, '05 11:20:18PM

None of these items are ever exposed to a command line, either directly or by output within a backtick construct

You are assuming that none of the bookmarks themselves contain backticks. By the time the

CAT<<...
portion is piped into sh, there are no more shell escapes, so everything in each of those items would be subject to full shell interpretation. Backticks, $, etc.

While the common case would simply be a partially mangled export, this allows arbitrary code execution (obviously vastly more likely to be accidental than malicious, but still a very dangerous thing to run). Deletion of files, upload of files to remote server, you name it. If you don't believe it, try it with a bookmark named `touch ~/uh-oh`



[ Reply to This | # ]
And a fix
Authored by: stewby on Aug 31, '05 11:38:53PM

And as a follow-up, you can make it more correct (no mangled names) and much safer by changing

<<END_BOOKMARK
to
<<'"'"'END_BOOKMARK'"'"'
(Yes, that's single-quote double-quote singe-quote double-quote single-quote on each side)



[ Reply to This | # ]