Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 29 Sep 2014 20:34:52 -0400
From: Chet Ramey <chet.ramey@...e.edu>
To: Florian Weimer <fweimer@...hat.com>, oss-security@...ts.openwall.com
CC: chet.ramey@...e.edu
Subject: Re: Array importing in bash 4.3

On 9/29/14, 10:42 AM, Florian Weimer wrote:
>> From: Florian Weimer <fweimer@...hat.com>
>>
>> Note that if you ship 4.3, you might want to reevaluate a decision to
>> enable array variable import from the environment.
> 
> I changed the subject because I'm sure this parenthetical comment got lost.
> 
> Fortunately, in bash 4.3 (patchlevel 25), you cannot just -DARRAY_EXPORT
> and get array variable import/export.  The code doesn't compile, and if you
> fix that, it does not link, and if you fix that, well, you end up with the
> following issue.

That's a ton of trouble to go through just for this.  I don't have any
plans to enable array export.

> The array import/export feature allows one to export and import variables
> while preserving their array status.  Unfortunately, it enables this:
> 
> $ env -i 'FOO=([$(echo broken > /dev/tty)]=a)' ./bash -c true
> broken
> ./bash: []=a: bad array subscript

That's actually how array assignment works.  The array index is run
through the shell word expansions, including command substitution, and
then the arithmetic expression evaluator to get the index.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@...e.edu    http://cnswww.cns.cwru.edu/~chet/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.