Date: Mon, 29 Sep 2014 20:34:52 -0400 From: Chet Ramey <chet.ramey@...e.edu> To: Florian Weimer <fweimer@...hat.com>, oss-security@...ts.openwall.com CC: chet.ramey@...e.edu Subject: Re: Array importing in bash 4.3 On 9/29/14, 10:42 AM, Florian Weimer wrote: >> From: Florian Weimer <fweimer@...hat.com> >> >> Note that if you ship 4.3, you might want to reevaluate a decision to >> enable array variable import from the environment. > > I changed the subject because I'm sure this parenthetical comment got lost. > > Fortunately, in bash 4.3 (patchlevel 25), you cannot just -DARRAY_EXPORT > and get array variable import/export. The code doesn't compile, and if you > fix that, it does not link, and if you fix that, well, you end up with the > following issue. That's a ton of trouble to go through just for this. I don't have any plans to enable array export. > The array import/export feature allows one to export and import variables > while preserving their array status. Unfortunately, it enables this: > > $ env -i 'FOO=([$(echo broken > /dev/tty)]=a)' ./bash -c true > broken > ./bash: =a: bad array subscript That's actually how array assignment works. The array index is run through the shell word expansions, including command substitution, and then the arithmetic expression evaluator to get the index. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU chet@...e.edu http://cnswww.cns.cwru.edu/~chet/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.