-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not evaluate arithmetic expressions from environment variables at startup, validation #205
Comments
The CVE vulnerability you're referencing should have been fixed in 593a5a8.
I believe so, though arguably it should not be doing that because of the single quotes. But it's easy to test:
That happens in the current shell, no other shell is even launched. What actually gets passed to the child shell is the value '3'. This can be tested as follows:
|
I think this is caused by the fact that And in arithmetic expressions, command substitutions in array indices are evaluated as well, even if they were passed as literal and quoted strings. I think that is pretty bogus. It might warrant an issue of its own. |
Thank you for triple checking this. I do appreciate it. I believe #152 covers this then. |
Another check, to be extra sure:
Nothing untoward happens if we stop the current shell from evaluating the expression. |
I was reading over the wiki and tried the following referenced check for CVE-2019-14868 as it relates to command execution via startup environment variables. To my surprise, it seemed to work when my shell was ksh93 but not when my shell was bash or zsh. Is this because my current ksh parent process is evaluating the contents of SHLVL before passing it along to the new ksh invocation?
The text was updated successfully, but these errors were encountered: