oss-sec mailing list archives

Re: shell wildcard expansion (un)safety

From: Eli Schwartz <eschwartz () gentoo org>
Date: Tue, 5 Nov 2024 23:42:07 -0500

On 11/5/24 11:12 PM, Solar Designer wrote:

So there's no bug in the shells here, but bugs of this kind are common
in shell usage (omitting the "--" argument where it's needed, usage of
wildcard expansion where that is unnecessary, etc.)

Can the shells do anything to mitigate this?  I think not without
breaking compatibility.  The only not-too-unreasonable change I can
think of is wildcard expansion prefixing filenames with "./", maybe only
those that start with "-" and maybe not when used with builtin "echo".



Well, to be fair the shell already does exactly this if you do

grep text ./*

Since this didn't feel too unreasonable, I actually tested many shells
to see whether any possibly already do this (with "/bin/echo *") - but I
found none that do, at least not by default.  I expect this would break
e.g. explicit comparisons of expanded filenames for equality (to some
expected filenames the script or another program checks for later) and
uses of the filesystem as poor man's database (which scripts sometimes
do).  Maybe an opt-in mode or a future shell that doesn't need to stay
100% compatible with prior shells could do this, but even then I worry
that it would encourage practices that would remain unsafe elsewhere.

I'll include some excerpts from the distros list discussion below:



No current shells are permitted to do it at all, if they are POSIX sh
compatible -- POSIX mandates a specific outcome:

https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_13_03

* cannot match the directory separator, it is not an option that
implementations are allowed to be flexible on, unless the shell
implements an opt-in mode such as bash's "globstar" that explicitly asks
for non-POSIX behavior. The issue then would become that no one would
remember or bother to set it, even if they wanted it. :)


-- 
Eli Schwartz

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Current thread:

Re: shell wildcard expansion (un)safety, (continued)
- - - Re: shell wildcard expansion (un)safety Solar Designer (Nov 06)
    - Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 07)
    - Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 07)
    - Re: shell wildcard expansion (un)safety Mats Wichmann (Nov 07)
    - Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 07)
    - Re: shell wildcard expansion (un)safety Solar Designer (Nov 07)
    - Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 15)
  - Re: shell wildcard expansion (un)safety lists (Nov 10)
  - Re: shell wildcard expansion (un)safety Ali Polatel (Nov 12)
  - Re: shell wildcard expansion (un)safety Sean Whitton (Nov 17)
- Re: shell wildcard expansion (un)safety Eli Schwartz (Nov 06)
  - Re: shell wildcard expansion (un)safety Fay Stegerman (Nov 06)
- Re: shell wildcard expansion (un)safety Jakub Wilk (Nov 07)
- Re: shell wildcard expansion (un)safety Max Nikulin (Nov 07)
- Re: shell wildcard expansion (un)safety Georgi Guninski (Nov 08)
  - Re: shell wildcard expansion (un)safety Dominik Czarnota (Nov 08)
    - Re: shell wildcard expansion (un)safety Eli Schwartz (Nov 10)
    - Re: shell wildcard expansion (un)safety Jeroen Roovers (Nov 10)
    - Re: shell wildcard expansion (un)safety Fay Stegerman (Nov 10)