-
-
Notifications
You must be signed in to change notification settings - Fork 372
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't pass ';' in script arguments #171
Comments
Good catch - what do you propose we do? Ignore everything after |
At the same time this doesn't exactly trigger privilege escalation but I can see how injecting commands could be a security risk in certain cases. |
So from skimming the code, I think the issue is with how eval "\"\$script\" \$scriptargs \"\\\$@\""; res=\$? Which will be (partly) expended as: eval "\"\$script\" one;two \"\\\$@\""; res=\$? Ignoring everything after the In bash I know of easy (enough) ways to either escape the variable or build the array, but sadly I don't know how to do that in sh... |
I also think it's more than just |
To support this,
where There's an open issue #112 where someone already tried to use this invocation and it's not an uncommon pattern for passing a script argument. On the other hand, literally anything is supported within a shell script and you could trivially write up that compound command in a script and invoke that as the |
I propose parsing up to and including the label and then saving the rest with another Rich Felker trick:
https://www.etalabs.net/sh_tricks.html It's on my ever-growing todo list. 😁 |
I feel this passes the responsibility of quoting arguments to the caller instead of the tool taking care of it in an opaque way, so it'll make |
That's a neat little bag of tricks there, @realtime-neil. @nivbend I can see that point of view. On the other hand, it's a fairly standard pattern; and if the command doesn't have any variables in it, it's easy to just single-quote the whole thing and be done with it. It's the equivalent of an API change, so it's not a thing to change lightly. |
* edit `makeself-header`: * change every `script` & `scriptargs` to `startup_command` * use `quote` (implemented in `makeself.sh`) to assign `startup_command` * change diagnostic references of "script" to "command" * edit `makeself.sh`: * add Rich Felker's `quote` and `save` * move first instructions to follow last function definition * use `save` to assign `MS_COMMAND` * use `save` to assign `STARTUP_COMMAND` * add `test/startupcommandtest` to test weird characters in files and startup commands
* edit `makeself-header`: * change every `script` & `scriptargs` to `startup_command` * use `quote` (implemented in `makeself.sh`) to assign `startup_command` * change diagnostic references of "script" to "command" * edit `makeself.sh`: * add Rich Felker's `quote` and `save` * move first instructions to follow last function definition * use `save` to assign `MS_COMMAND` * use `save` to assign `STARTUP_COMMAND` * add `test/startupcommandtest` to test weird characters in files and startup commands
* edit `makeself-header`: * change every `script` & `scriptargs` to `startup_command` * use `quote` (implemented in `makeself.sh`) to assign `startup_command` * change diagnostic references of "script" to "command" * edit `makeself.sh`: * add Rich Felker's `quote` and `save` * move first instructions to follow last function definition * use `save` to assign `MS_COMMAND` * use `save` to assign `STARTUP_COMMAND` * add `test/startupcommandtest` to test weird characters in files and startup commands
* edit `makeself-header`: * change every `script` & `scriptargs` to `startup_command` * use `quote` (implemented in `makeself.sh`) to assign `startup_command` * change diagnostic references of "script" to "command" * edit `makeself.sh`: * add Rich Felker's `quote` and `save` * move first instructions to follow last function definition * use `save` to assign `MS_COMMAND` * use `save` to assign `STARTUP_COMMAND` * add `test/startupcommandtest` to test weird characters in files and startup commands
* edit `makeself-header`: * change every `script` & `scriptargs` to `startup_command` * use `quote` (implemented in `makeself.sh`) to assign `startup_command` * change diagnostic references of "script" to "command" * edit `makeself.sh`: * add Rich Felker's `quote` and `save` * move first instructions to follow last function definition * use `save` to assign `MS_COMMAND` * use `save` to assign `STARTUP_COMMAND` * add `test/startupcommandtest` to test weird characters in files and startup commands
* edit `makeself-header`: * change every `script` & `scriptargs` to `startup_command` * use `quote` (implemented in `makeself.sh`) to assign `startup_command` * change diagnostic references of "script" to "command" * edit `makeself.sh`: * add Rich Felker's `quote` and `save` * move first instructions to follow last function definition * use `save` to assign `MS_COMMAND` * use `save` to assign `STARTUP_COMMAND` * add `test/startupcommandtest` to test weird characters in files and startup commands
When passing
;
to the inner script the rest of the arguments are interpreted as a command to be executed:This allows execution of commands:
Relates to #57.
The text was updated successfully, but these errors were encountered: