oss-sec mailing list archives

Re: shell wildcard expansion (un)safety

From: Steffen Nurpmeso <steffen () sdaoden eu>
Date: Thu, 07 Nov 2024 01:08:19 +0100

David A. Wheeler wrote in
 <F60236E0-F65A-4441-9E62-64EE55016B2C () dwheeler com>:
 |> On Nov 5, 2024, at 11:12 PM, Solar Designer <solar () openwall com> wrote:
 |> Alexander Hu, CC'ed here, sent a message titled "shell expansion bug" to
 |> the distros list and a few other distro security contacts and shell
 |> maintainers.  The message described known and correct behavior (not a
 |> bug), even if unexpected by some and risky. ...
 |
 |> Since this issue and other related ones were known for decades,
 |> getopt(3) and getopt_long(3), which are used by many programs, will stop
 |> processing options upon seeing a plain "--" argument.
 |
 |However, many programs do *not* use getopt or getopt_long to process \
 |arguments.
 |Many programs support "--", but "not* all do,so using "--" as the sole \
 |countermeasure
 |requires careful review of every command's documentation.
 |
 |I urge always using "./" to prefix wildcards if the first character \
 |is a wildcard,
 |e.g., "./*.pdf", because this ALWAYS works.
 |
 |> ... over the years we gained things like ...
 |> 
 |> find . -mindepth 1 -maxdepth 1 -type f -print0 | xargs -0 grep text --
 |
 |The "-print0" and "-0" options have been widely implemented, but
 |POSIX 2024 finally formally adds them. So I urge using them where they
 |make sense, as they counter embedded linefeed characters in filenames.

To add that the POSIX core developers mention (APPLICATION USAGE):

  It should be noted that using find with −print0 to pipe input to
  xargs −r0 is less safe than using find with −exec because if
  find −print0 is terminated after it has written a partial
  pathname, the partial pathname may be processed as if it was
  a complete pathname.

  ...

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
|
|And in Fall, feel "The Dropbear Bard"s ball(s).
|
|The banded bear
|without a care,
|Banged on himself fore'er and e'er
|
|Farewell, dear collar bear

Current thread:

shell wildcard expansion (un)safety Solar Designer (Nov 05)
- Re: shell wildcard expansion (un)safety David A. Wheeler (Nov 06)
  - Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 06)
    - Re: shell wildcard expansion (un)safety Solar Designer (Nov 06)
    - Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 07)
    - Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 07)
    - Re: shell wildcard expansion (un)safety Mats Wichmann (Nov 07)
    - Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 07)
    - Re: shell wildcard expansion (un)safety Solar Designer (Nov 07)
    - Re: shell wildcard expansion (un)safety Steffen Nurpmeso (Nov 15)
  - Re: shell wildcard expansion (un)safety lists (Nov 10)
  - Re: shell wildcard expansion (un)safety Ali Polatel (Nov 12)
  - Re: shell wildcard expansion (un)safety Sean Whitton (Nov 17)

(Thread continues...)