dequote function allows to execute arbitrary commands

[fmunozs]

I'd like to report a security issue with the dequote function inside bash, since it uses eval it allows to execute commands from the parameters passed to it. The name suggests it should only dequote and it could create security issues if somebody trust that it only does that. I'll be reporting the issue to OSS-SEC list and request for a CVE identifier which you can use when a new release is available.

# dequote  "hola"
hola
# dequote ';id'
uid=0(root) gid=0(root) groups=0(root)

Credit: Marcelo Echeverria, Fernando Muñoz

This issue was first identified on 2014 [1] but nobody cared to report it here.

[1] https://lists.gnu.org/archive/html/bug-bash/2014-04/msg00058.html

[Artoria2e5]

You might want to do this for the 'normal' cases, or the shell will unquote the whole thing as it reads the command.

dequote "\"hola\""
dequote "'foo';id"

[akinomyoga]

I think this has been fixed in #736.

[Artoria2e5]

Huh, 736 is some really fancy regex, but the comment does explain it well enough. It looks like this complexity is justified anyways, since the completion receives the words with potential variable expansions on the cmdline?

[akinomyoga]

Yes, it would be useful to allow variable expansions in the completed word.

[akinomyoga]

I think this issue can be closed.