-
Notifications
You must be signed in to change notification settings - Fork 1.8k
SC2156
wodry edited this page Aug 9, 2021
·
9 revisions
find . -name '*.mp3' -exec sh -c 'i="{}"; sox "$i" "${i%.mp3}.wav"' \;find . -name '*.mp3' -exec sh -c 'i="$1"; sox "$i" "${i%.mp3}.wav"' _ {} \;In the problematic example, the filename is passed by injecting it into a shell string. Any shell metacharacters in the filename will be interpreted as part of the script, and not as part of the filename. This can break the script and allow arbitrary code execution exploits.
In the correct example, the filename is passed as a parameter. It will be safely treated as literal text. The _ is a dummy string that becomes $0 in the script.
None.