busybox seq doesn't handle negative numbers

Steffen Nurpmeso steffen at sdaoden.eu
Wed Apr 5 16:15:14 UTC 2023 

David Laight wrote in
 <431dc1a049e445c6aaf57b8995f465d1 at AcuMS.aculab.com>:
 |...
 |> Yeah, the thing rather is that GNU getopt parses the command line
 |> and performs reorders.  I never really looked, but since the
 |> (entire family of the) mailer i maintain earned a security
 |> advisory for possible option injection attacks i always wondered
 |> how secure that can be...
 |
 |Yes, that is entirely broken and should never have been committed.
 |I have to remember to add the 'magic character' to disable it.

Well ok as you say it, GNU coreutils seq uses an initial "+" to
avoid this "permutation".  I did not really look.  GNU coreutils:

  #?0|kent:src$ grep -r getopt *.c|grep ' "[^+]'|wc -l
  58
  #?0|kent:src$ grep -r getopt *.c|grep ' "[+]'|wc -l
  10
  #?0|kent:src$ grep -r getopt *.c|grep ' "[+]'|cut -f1 -d' '
  basename.c:
  chroot.c:
  nice.c:
  pathchk.c:
  printenv.c:
  runcon.c:
  seq.c:
  stdbuf.c:
  timeout.c:
  tr.c:

In my opinion permutation is nonetheless a really expensive and
terrible thing, and once you are used to have to terminate option
processing to be on the safe side, you got it.  Some things just
need treatment, so it is.

 |Historically a few programs use nonstandard argument ordering.
 |Most notably 'rlogin hostname -l username' but that really
 |doesn't justify how gnu getopt() works.
 |
 |Programs like tail, seq and sort are old and have argument
 |parsing that (probably) predates the standard.
 |(Although 'sort +4' seems to have been disabled even though
 |it worked fine for over 30 years.)
 |
 |I wonder if there is an easy way to 'escape' from busybox
 |getopt's 'unknown option' error path without printing a
 |message (and them being able to print the message) so that
 |programs like seq can decide that -12 isn't actually invalid.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the busybox mailing list