On Sunday 27 Mar 2011, Joachim Breitner wrote:
Am Sonntag, den 27.03.2011, 08:16 +0530 schrieb Raj Mathur (राज माथुर):
Both are unsafe. Consider the user who enters his username as
(literally): Raj `rm -rf /`Mathur
Then your grep command translates to: grep -q "^Raj `rm -rf /`Mathur$" present
and if your app is running as root, voila! no more files on your system! The user is marked present too :)
The OP needs to do much more thinking about input sanitisation.
No, this line is safe with $ fgrep -qx "$USER" present
Thanks to the quotes around $USER, the `...` part would not be executed. But the quotes should be around every use of USER, in the later part of the code your exploit works.
As Binand pointed out in personal mail, you are absolutely correct and the shell will not interpret `...` commands in a variable read from a user.
My apologies.
Regards,
-- Raj