Blaming the operating system for allowing people to create files with unusual characters in their names
> What we have here is a case of creating an insecure system and then being surprised that the system is insecure.
This is all too common, but the fix is equally shortsighted. Always too much focus on narrow aspect of the problem.
> They claimed that the issue could be fixed by simply adding the ampersand to the list of illegal file name characters. They forgot about the percent sign (for injecting environment variables), the caret (for escaping), and possibly even the apostrophe.
CVE-2020-8816 – Pi-hole Remote Code Execution
> Pi-hole is affected by a Remote Code Execution vulnerability. An authenticated user of the Web portal can execute arbitrary command with the underlying server with the privileges of the local user executing the service. Exploitation of this vulnerability can be automated.
Neat trick to get around input restrictions:
> Luckily for us, the PATH contains the strings “pihole” and “usr” which in turn contains the “p”, “h” and “r” lower-case characters. Those are the only letters we need to write “php -r”.
Clear Your Terminal in Style
> If you’re someone like me who habitually clears their terminal, sometimes you want a little excitement in your life. Here is a way to do just that.
> murex is a shell, like bash / zsh / fish / etc. It follows a similar syntax to POSIX shells like Bash however supports more advanced features than you’d typically expect from a $SHELL.
> It aims to be similar enough to traditional shells that you can retain most of your muscle memory, while not being afraid to make breaking changes where “bash-isms” lead to unreadable, hard to maintain, or unsafe code.
gter - a terminal for GUI apps
A shell may be more accurate?
Your Makefiles are wrong
> Your Makefiles are full of tabs and errors. An opinionated approach to writing (GNU) Makefiles that I learned from Ben may still be able to salvage them.
I don’t agree with everything, or even most of this, but worth considering.
> Miller is like awk, sed, cut, join, and sort for name-indexed data such as CSV, TSV, and tabular JSON. You get to work with your data using named fields, without needing to count positional column indices.
> This is something the Unix toolkit always could have done, and arguably always should have done. It operates on key-value-pair data while the familiar Unix tools operate on integer-indexed fields: if the natural data structure for the latter is the array, then Miller’s natural data structure is the insertion-ordered hash map. This encompasses a variety of data formats, including but not limited to the familiar CSV, TSV, and JSON. (Miller can handle positionally-indexed data as a special case.)
Git submodule update command execution
> The git submodule update operation can lead to execution of arbitrary shell commands defined in the .gitmodules file.
snek - Python from PowerShell
> Snek is a cross-platform PowerShell module for integrating with Python. It uses the Python for .NET library to load the Python runtime directly into PowerShell. Using the dynamic language runtime, it can then invoke Python scripts and modules and return the result directly to PowerShell as managed .NET objects.
kill tail(1) when sh exits
> As a solution, the POSIX shell provides a built-in named trap, documented here. In short it allows to define actions to be executed upon signaling, and that includes shell termination. It is similar to atexit(3) in POSIX C.
pure sh bible
> A collection of pure POSIX sh alternatives to external processes.
Batch renaming images, including image resolution, with awk
> I previously wrote about the power of command line tools like sed. This post expands on how to string all this magical functionality into one big, long, rainbow-coloured, viscous stream of awesome.
> Today, we’re introducing a new shell, written in Rust. It draws inspiration from the classic Unix philosophy of pipelines, the structured data approach of PowerShell, functional programming, systems programming, and more.
A one liner to rename files.
> ls | grep ‘aaa’ | sed ‘p;s/aaa/bbb/’ | xargs -n2 | xargs -L1 bash -c ‘mv $0 $1’
shebangs and busybox
> neat, right? this lets us write shell scripts that are portable across all sorts of different setups. except there’s a problem.
Tricking the tricksters with a next level fork bomb
> Some people make a cruel sport out of tricking newbies into running destructive shell commands.
> Years ago, I came across someone doing this, and decided to trick them back.
How Bash decides it's being invoked through sshd and sources your .bashrc
> In practice, a non-interactive Bash decides that it is being invoked by SSHD if either $SSH_CLIENT or $SSH2_CLIENT are defined in the environment. In a robotic sense this is perfectly correct, since OpenSSH’s sshd puts $SSH_CLIENT in the environment when you do ‘ssh host command’. In practice it is wrong, because OpenSSH sets $SSH_CLIENT all the time, including for logins. So if you use SSH to log in somewhere, $SSH_CLIENT will be set in your shell environment, and then any non-interactive Bash will decide that it should source ~/.bashrc.
This seems incredibly messy.
goto - command transfer
> Goto is allowed only when the Shell is taking commands from a file. The file is searched from the beginning for a line beginning with `:’ followed by one or more spaces followed by the label. If such a line is found, the goto command returns. Since the read pointer in the command file points to the line after the label, the effect is to cause the Shell to transfer to the labelled line.
kitty - the fast, featureful, GPU based terminal emulator
> kitty is designed for power keyboard users. To that end all its controls work with the keyboard (although it fully supports mouse interactions as well). Its configuration is a simple, human editable, single file for easy reproducibility (I like to store configuration in source control).
> The code in kitty is designed to be simple, modular and hackable. It is written in a mix of C (for performance sensitive parts) and Python (for easy hackability of the UI). It does not depend on any large and complex UI toolkit, using only OpenGL for rendering everything.
> Finally, kitty is designed from the ground up to support all modern terminal features, such as unicode, true color, bold/italic fonts, text formatting, etc. It even extends existing text formatting escape codes, to add support for features not available elsewhere, such as colored and styled (curly) underlines. One of the design goals of kitty is to be easily extensible so that new features can be added in the future with relatively less effort.
> fish 3 is a major release, which introduces some breaking changes alongside improved functionality. Although most existing scripts will continue to work, they should be reviewed against the list contained below.