Skip to content

Unquoted output in bash scripts

Hello,

In several places in backup ninja helpers, unquoted output from commands is being passed to a function. There, globbing can take place, or in some cases, shell execution could be possible. In some corner cases, it could pose security risk.

I have grepped backupninja-1.0.1-2 from Ubuntu distribution (16.04).

Result:

# grep -n '\(info\|warning\|debug\|fatal\|error\) \+\$output' /usr/share/backupninja/* 
/usr/share/backupninja/dup:278:      debug $output
/usr/share/backupninja/dup:281:      debug $output
/usr/share/backupninja/dup:297:         debug $output
/usr/share/backupninja/dup:300:         debug $output
/usr/share/backupninja/dup:319:               debug $output
/usr/share/backupninja/dup:322:               debug $output
/usr/share/backupninja/dup:340:   debug $output
/usr/share/backupninja/dup:343:                            info $output
/usr/share/backupninja/dup:345:                            error $output
/usr/share/backupninja/makecd:54:   debug $output
/usr/share/backupninja/makecd:57:   warning $output
/usr/share/backupninja/makecd:68:         debug $output
/usr/share/backupninja/makecd:71:         warning $output
/usr/share/backupninja/makecd:80:         debug $output
/usr/share/backupninja/makecd:83:         warning $output
/usr/share/backupninja/mysql:197:            debug $output
/usr/share/backupninja/mysql:200:            warning $output
/usr/share/backupninja/mysql:220:               debug $output
/usr/share/backupninja/mysql:223:               warning $output
/usr/share/backupninja/mysql:317:            debug $output
/usr/share/backupninja/pgsql:134:         debug $output
/usr/share/backupninja/pgsql:137:         warning $output
/usr/share/backupninja/pgsql:164:            debug $output
/usr/share/backupninja/pgsql:167:            warning $output
/usr/share/backupninja/pgsql:201:            debug $output
/usr/share/backupninja/pgsql:204:            warning $output
/usr/share/backupninja/rdiff:185:         debug $output
/usr/share/backupninja/rdiff:188:         warning $output
/usr/share/backupninja/rdiff:271:      debug $output
/usr/share/backupninja/rdiff:274:      error $output
/usr/share/backupninja/sys:625:         debug $output
/usr/share/backupninja/sys:628:         debug $output
/usr/share/backupninja/sys:662:   debug $output

These params should be quoted, i.e.: warning "$output"

I have found the issue when run mysql helper:

# backupninja --run /etc/backup.d/10-mysqldump.mysql 
Info: >>>> starting action /etc/backup.d/10-mysqldump.mysql (because of --now)
Debug: yes
...
Debug: su root -c "/usr/bin/mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --lock-tables --complete-insert --add-drop-table --quick --quote-names --skip-lock-tables  information_schema | /bin/gzip --rsyncable > '/var/backups/mysql/sqldump/information_schema.sql.gz'"
Warning: mysqldump: Couldn't execute 'SELECT /*!40001 SQL_NO_CACHE file1/ file2/ file3 ... FROM `GLOBAL_STATUS`': The 'INFORMATION_SCHEMA.GLOBAL_STATUS' feature is disabled; see the documentation for 'show_compatibility_56' (3167)
Warning: Failed to dump mysql databases information_schema

Look at text afer SQL_NO_CACHE: file1, file2, file3 and etc. - these are files from current directory, globbed from "*/", outputed by mysqldump :-/

Edited by anarcat
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information