What if you had to fight against your company’s culture to bring a revolutionary tool to life? Meet Jeffrey Snover, the Microsoft architect behind PowerShell, a command tool that transformed Windows system administration. Initially met with skepticism, Snover’s idea faced resistance from a company that favored graphical interfaces.

source: HN

Now it became immediately obvious to my why HiCA only supports acme.sh. They are not conforming to ACME at all! (Bugs the heck outa me that they’re using the official ACME logo on their site even though they don’t implement the ACME standard.)

Instead, HiCA is stealthily crafting curl commands and piping the output to bash. acme.sh is (being tricked into?) running arbitrary code from a remote server.

source: HN

What’s this? The second part of the pipeline still ran? Of course it did. It’s *already running* at the point that the reader fails. Its stdin is hooked to the stdout of the other thing, Unix-centipede style.

The simple thing to say about this is that it only happens on Ubuntu 16.04, not on 18.04 or 20.04, and it happens because Ubuntu’s normal /etc/bash.bashrc defines a command_not_found_handle function that winds up running a helper program to produce this ‘did you mean’ report. The helper program comes from the command-not-found package, which is installed because it’s Recommended by ubuntu-standard.

Python can execute code. Make sure it executes only the code you want it to.

Not exclusive to python either.

source: L

Interesting environment variables to supply to scripting language interpreters

source: HN

What we have here is a case of creating an insecure system and then being surprised that the system is insecure.

This is all too common, but the fix is equally shortsighted. Always too much focus on narrow aspect of the problem.

They claimed that the issue could be fixed by simply adding the ampersand to the list of illegal file name characters. They forgot about the percent sign (for injecting environment variables), the caret (for escaping), and possibly even the apostrophe.

Pi-hole is affected by a Remote Code Execution vulnerability. An authenticated user of the Web portal can execute arbitrary command with the underlying server with the privileges of the local user executing the service. Exploitation of this vulnerability can be automated.

Neat trick to get around input restrictions:

Luckily for us, the PATH contains the strings “pihole” and “usr” which in turn contains the “p”, “h” and “r” lower-case characters. Those are the only letters we need to write “php -r”.

source: HN

If you’re someone like me who habitually clears their terminal, sometimes you want a little excitement in your life. Here is a way to do just that.

source: HN

murex is a shell, like bash / zsh / fish / etc. It follows a similar syntax to POSIX shells like Bash however supports more advanced features than you’d typically expect from a $SHELL.

It aims to be similar enough to traditional shells that you can retain most of your muscle memory, while not being afraid to make breaking changes where “bash-isms” lead to unreadable, hard to maintain, or unsafe code.

https://github.com/lmorg/murex

source: HN

A shell may be more accurate?

source: HN

Your Makefiles are full of tabs and errors. An opinionated approach to writing (GNU) Makefiles that I learned from Ben may still be able to salvage them.

I don’t agree with everything, or even most of this, but worth considering.

source: HN

Miller is like awk, sed, cut, join, and sort for name-indexed data such as CSV, TSV, and tabular JSON. You get to work with your data using named fields, without needing to count positional column indices.

This is something the Unix toolkit always could have done, and arguably always should have done. It operates on key-value-pair data while the familiar Unix tools operate on integer-indexed fields: if the natural data structure for the latter is the array, then Miller’s natural data structure is the insertion-ordered hash map. This encompasses a variety of data formats, including but not limited to the familiar CSV, TSV, and JSON. (Miller can handle positionally-indexed data as a special case.)

https://github.com/johnkerl/miller

The git submodule update operation can lead to execution of arbitrary shell commands defined in the .gitmodules file.

source: grugq

From https://ironmansoftware.com/snek-integrating-python-in-powershell/

Snek is a cross-platform PowerShell module for integrating with Python. It uses the Python for .NET library to load the Python runtime directly into PowerShell. Using the dynamic language runtime, it can then invoke Python scripts and modules and return the result directly to PowerShell as managed .NET objects.

source: R

As a solution, the POSIX shell provides a built-in named trap, documented here. In short it allows to define actions to be executed upon signaling, and that includes shell termination. It is similar to atexit(3) in POSIX C.

source: L

A collection of pure POSIX sh alternatives to external processes.

I previously wrote about the power of command line tools like sed. This post expands on how to string all this magical functionality into one big, long, rainbow-coloured, viscous stream of awesome.

Today, we’re introducing a new shell, written in Rust. It draws inspiration from the classic Unix philosophy of pipelines, the structured data approach of PowerShell, functional programming, systems programming, and more.

source: L

A one liner to rename files.

ls | grep ‘aaa’ | sed ‘p;s/aaa/bbb/’ | xargs -n2 | xargs -L1 bash -c ‘mv $0 $1’

source: Dfly