oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: shell wildcard expansion (un)safety

From: Dominik Czarnota <dominik.b.czarnota () gmail com>
Date: Fri, 8 Nov 2024 23:02:21 +0100
This is known since even earlier by the article/disclosure „unix wildcards
gone wild”:
https://seclists.org/fulldisclosure/2014/Jun/136

The original article link seems to not work but it can be seen e.g. here:
https://github.com/Gandosha/gandosha.github.io/blob/master/DefenseCode_Unix_WildCards_Gone_Wild.txt

It shows that in some cases this can lead to code execution, e.g. with „tar
*”

On Fri, 8 Nov 2024 at 18:47, Georgi Guninski <gguninski () gmail com> wrote:


This is known since at least 2019, but the distro list can't tell
vulnerability from a rant [1] [2]

`grep text -- *` is not portable solution, since not all warez recognize
--.

e.g.:

$find . --
find: unknown predicate `--'


[1] Shell wildcards considered dangerous?
https://seclists.org/oss-sec/2019/q4/133

[2]
https://www.linkedin.com/pulse/careful-wildcards-linux-rm-georgi-guninski-ieaif
Previous By Date Next
Previous By Thread Next

Current thread: