Return to Answer

You've got a vulnerability when there's a path for privilege escalation, that is when someone (let's call him the attacker) is able to do something he is not meant to.

Most people will bump into bugs associated with unquoted variables because of the split part (for instance, it's common for files to have spaces in their names nowadays and space is in the default value of IFS). Many people will overlook the glob part. The glob part is at least as dangerous as the split part.

Arbitrary code execution is the worst type of vulnerability, since if the attacker can run any command, there's no limit on what he may do.

And with a $1 with value (IFS=-1234567890), that arithmetic evaluation has the side effect of settings IFS and the next [ command fails which means the check for too many args is bypassed.

You've got a vulnerability when there's a path for privilege escalation, that is when someone (let's call him the attacker) is able to do something they are not meant to.

Most people will bump into bugs associated with unquoted variables because of the split part (for instance, it's common for files to have spaces in their names nowadays and space is in the default value of $IFS). Many people will overlook the glob part. The glob part is at least as dangerous as the split part.

Arbitrary code execution is the worst type of vulnerability, since if the attacker can run any command, there's no limit on what they may do.

And with a $1 with value (IFS=-1234567890), that arithmetic evaluation has the side effect of settings $IFS and the next [ command fails which means the check for too many args is bypassed.

In most shells, leaving a variable expansion unquoted (though that (and the rest of this answer) also applies to command substitution (`...` or $(...)) and arithmetic expansion ($((...)) or $[...])) has a very special meaning. The best way to describe it is that it is like invoking some sort of implicit split+glob operator¹.

In most shells, leaving a variable expansion unquoted (though that (and the rest of this answer) also applies to command substitution (`...` or $(...)) and arithmetic expansion ($((...)) or $[...])) has a very special meaning. A good way to describe it is that it is like invoking some sort of implicit split+glob operator¹.

There are a few places though where quotes are not accepted. The main one being inside Korn-style arithmetic expressions in many shells like in echo "$(( $1 + 1 ))" "${array[$1 + 1]}" "${var:$1 + 1}" where the $1 must not be quoted (being in a list context --the arguments to a simple command-- the overall expansions still needs to be quoted though).

Inside those, the shell understands a separate language altogether inspired from C. In AT&T ksh for instance $(( 'd' - 'a' )) expands to 3 like it does in C and not the same as $(( d - a )) would. Double quotes are ignored in ksh93 but cause a syntax error in many other shells. In C, "d" - "a" would return the difference between pointers to C strings. Doing the same in shell would not make sense.