On Sunday 27 Mar 2011, Joachim Breitner wrote:
Am Sonntag, den 27.03.2011, 08:16 +0530 schrieb Raj Mathur (राज माथुर):
Both are unsafe. Consider the user who enters his username as
(literally): Raj `rm -rf /`Mathur
Then your grep command translates to: grep -q "^Raj `rm -rf /`Mathur$" present
and if your app is running as root, voila! no more files on your system! The user is marked present too :)
The OP needs to do much more thinking about input sanitisation.
No, this line is safe with $ fgrep -qx "$USER" present
Thanks to the quotes around $USER, the `...` part would not be executed. But the quotes should be around every use of USER, in the later part of the code your exploit works.
That is not correct. Please read up on shell quoting before posting definitive but wrong information to a public mailing list.
The exploit I posted will work.
Regards,
-- Raj