1

I was reading the man of find on the -exec command {} switch section, it states that the {} should be quoted to protect from interpretation by shells.

I'm trying to reproduce such a behaviour locally without any success and wondering in what context does that interpretation apply.

Here is what i am doing trying to get that interpretation to work:

echo "Hi" > f1
touch -- \$\(ls\ \-la\) -n
find ./ -type f -exec cat {} +

Just basically trying to get either a switch or a command to be interpreted as it's parsing the malicious file names, but it doesn't get interpreted as suggested in the man.

What am i missing ?

Alternatively is there a way to exploit such a line code with cat as a command and not any other ?

FeatherAndInk
  • 21

1 Answers1

0

In many shells, the braces start a brace expansion. But sh-compatible shells, Zsh and (t)csh still leave the plain {} alone. However, at least the fish shell doesn't, it removes an unquoted {}, and e.g. echo {} would then output just an empty line. That would break the find command using {}, so you need to quote the braces.

It's not about the filename being processed for shell expansions after find fills it it. At that point, there's no shell involved, unless you explicitly invoke one.

ilkkachu
  • 138,973
  • I see so if I understand well, in bash there would be no way to inject malicious code through that specific command " find ./ -type f -exec cat {} + " because the cat won't evaluate anything that's being fed by the find result but rather with something like "find ./ -type f -exec sh -c " cmd {}" ; – FeatherAndInk Sep 27 '20 at 16:46
  • @FeatherAndInk, yes. And to prevent that being an issue, you'd run find ./ -type f -exec sh -c 'echo "$1"' sh {} \; instead. Also note that find isn't required to expand {} in the middle of an argument, so the broken version might not even work. – ilkkachu Sep 27 '20 at 16:50
  • 1
    In the case of fish, that changed in 3.0.0. See my answer in the GNU find and masking the {} for some shells - which? duplicate. – Stéphane Chazelas Sep 27 '20 at 17:19