[Toybox] Shell corner cases.

Chet Ramey chet.ramey at case.edu
Thu May 1 14:43:49 PDT 2025


On 5/1/25 3:44 PM, Rob Landley wrote:
> On 5/1/25 10:29, Chet Ramey wrote:
>> On 4/30/25 6:23 PM, Rob Landley wrote:
>>
>>> Somebody forwarded that to me from an exploit how-to site. It's 
>>> apparently a trick used to subvert scripts that call things via absolute 
>>> path to avoid malicious $PATH.
>>
>> I suppose if you can get a script to source an arbitrary file, you can do
>> pretty much anything.
> 
> $ command /usr/bin/whoami
> landley
> $ command() { echo nope; }
> $ command /usr/bin/whoami
> nope
> 
> What was the _benefit_ of allowing / in command names?

I can't remember; it was 35 years ago. It's been that way since pre-1.0.

> 
>>> $ x() { echo hello; }; D=x; $D
>>> hello
>>
>> OK? Commands are parsed, then executed.
> 
> To me, that seemed like analogous behavior working on the same line.

Not at all. The line is parsed into three commands and executed:

1. The shell function is created by the function definition command.

2. The variable D is given a value by the simple command.

3. The variable D is expanded as part of word expansion and the result
    is executed as a simple command.

I don't see how you get much a similarity here, since there's nothing
changed by the parser like in alias expansion.

> 
> Mostly the use of alias I've encountered seems to be things like alias 
> ls='ls -l' allowing additional arguments, although ls() { ls -l "$@"; } 
> seems like it could do it too.

Most of what aliases do can be done with shell functions. The bash man
page says as much. The really tricky stuff is where you change how the
shell parses a command.

  The _unique_ feature is stuff like:
> 
>    $ alias ls='ls >'
>    $ ls
>    bash: syntax error near unexpected token `newline'

Yes: you can change the shell syntax. You can also introduce syntax errors;
the POSIX description of `alias' contains some examples.


> It works for prefix assignments but not:
> 
> $ alias blah='echo hello'
> $ >file blah
> $ cat blah
> cat: blah: No such file or directory

What are you expecting this to do? Where do you create a file named `blah'?
Maybe you meant `cat file', which would display `hello'.


>>> $ bash -c $'echo $LINENO;alias a=b\necho $LINENO;a'
>>> 1
>>> 2
>>> bash: line 2: a: command not found
>>
>> Anywhere the shell executes a string (the command_string argument to
>> `sh -c', `eval', command substitution bodies), it parses the entire string
>> as a compound_list and then executes that list.
> 
> I just did fmemopen(buf, strlen(buf), "r") and fed it to the same line 
> reading loop as everything else. You're saying I should write extra code to 
> behave differently for the special case.

You have agency here, Rob: you don't have to do anything you don't want to.
I'm telling you what other shells -- including bash -- do and what POSIX
says (most of it's unspecified).


>>> And, of course:
>>>
>>> $ alias one=two
>>> $ on\e
>>> bash: one: command not found
>>
>> When that is tokenized, the backslash is still part of the word, so it
>> can't match an alias name.
> 
> Only because:

No, the two are separate but related. POSIX doesn't allow alias
substitution if any of the characters in the token are quoted, so it makes
no sense to allow alias names that contain, for instance, a backslash.
(POSIX also has other restrictions on alias names.)

> $ alias on\\e=two
> bash: alias: `on\e': invalid alias name
> 
> Which function definition _doesn't_ do...

Yes, bash is really liberal about what it allows in function names --
basically anything that you can put in a filename. POSIX says a conforming
application must ensure it's a `name', but allows implementations to extend
the allowed characters, and bash does.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU    chet at case.edu    http://tiswww.cwru.edu/~chet/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20250501/3095717d/attachment.sig>


More information about the Toybox mailing list