[CentOS] bash - safely pass untrusted strings?
Garrick Staples
garrick at usc.edu
Tue Feb 26 19:35:19 UTC 2008
On Tue, Feb 26, 2008 at 11:22:55AM -0800, Benjamin Smith alleged:
> On Tuesday 26 February 2008, Les Mikesell wrote:
> > >
> > > WHY THE @!#! NOT?!?!?
> >
> > The shell is 'supposed' to be run by a user that is allowed to run any
> > command he wants, and permission/trust issues are handled by the
> > login/authentication process that happens before you get to the shell.
> > If you give the shell a bad command under your own account, it's not
> > supposed to second guess what you wanted.
>
> I'm not asking for this. I'm only asking for the option to be able to trust
> that a parameter is... a parameter. EG:
>
> file: script1.sh
> #! /bin/bash
> script2.sh $1
> exit 0;
>
> file: script2.sh
> #! /bin/bash
> echo $1;
>
> $ script1.sh "this\ parameter";
>
> I get output of "this"! script2 gets two parameters! I want a way for 1
You need to quote the variable:
#!/bin/bash
echo "$1"
> parameter to STAY 1 parameter upon request, so that script2.sh would
> output "this parameter", like
>
> file:script1.sh
> #! /bin/bash
> PassToShell2=escapethis $1;
> script2.sh $PassToShell;
> exit 0;
You are missing two sets of quotes:
#!/bin/bash
PassToShell2="escapethis $1"
script2.sh "$PassToShell"
[...snip blah blah rant...]
> http://tldp.org/HOWTO/Bash-Prog-Intro-HOWTO-12.html#ss12.1
>
> Here's what I get:
>
> mv: invalid option -- a
> Try `mv --help' for more information.
That's a bug in the script.
It should be:
mv -- "$file" "$file$suffix"
> Or with a file with a space:
> echo "blah" > "d";
> echo "blah" > "d foo";
>
> The TLDP's example doesn't move file "d foo". I get:
> mv: cannot stat `d': No such file or directory
> mv: cannot stat `foo': No such file or directory
>
> So I ask again: This doesn't strike you as fundamentally borkeD? The emperor
> wears no clothes!
Just another case of missing double quotes.
It's the programmer that is borked, but the fundamentals :)
[...snip more rants...]
--
Garrick Staples, GNU/Linux HPCC SysAdmin
University of Southern California
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20080226/a46fa90c/attachment.sig>
More information about the CentOS
mailing list