[CentOS] bash - safely pass untrusted strings?
Benjamin Smith
lists at benjamindsmith.com
Tue Feb 26 23:30:02 UTC 2008
On Tuesday 26 February 2008, Les Mikesell wrote:
> Benjamin Smith wrote:
> > > Unless I'm terribly mistaken (again?), the only way I've been able to
> > see "loop thru a list of files" work reliably is with "find" using
> > the "-print0" option, in cahoots with xargs.
> >
> > Is there any other way?
>
> for $file in wildcard*
> do
> ls -l "$file"
> done
>
> But this is the point where you should be asking what to do about quotes
> embedded in the filenames which won't hurt here because of the order of
> operations but would if you tried to collect the strings and use them in
> some other ways.
Exactly. Here's my example:
$ ls -laFd *
-rw-r--r-- 1 bens nobody 5 2008-02-26 12:21 Disney\ trip\ -a\ mother\\'s\
journey.doc
-rwxr--r-- 1 bens nobody 103 2008-02-26 13:35 script1.sh*
-rwxr--r-- 1 bens nobody 26 2008-02-26 11:54 script2.sh*
-rw-r--r-- 1 bens nobody 52 2008-02-26 15:15 script3.sh
-rw-r--r-- 1 bens nobody 55 2008-02-26 13:17 t
Note that, even here, there's a file called "-b" that's been inadvertently
hidden!
$ ls -laFd -- *
-b Disney trip -a mother\'s journey.doc script1.sh script2.sh script3.sh
t
$ cat -- -b
blah
$
File script3.sh contains the following:
$ cat script3.sh
#! /bin/sh
for file in $*
do
ls -l "$file";
done
[bens at turing tt]$
And when I run script3.sh, I get:
$ /bin/bash ./script3.sh *
total 48
-rw-r--r-- 1 bens nobody 5 2008-02-26 12:14 -b
-rw-r--r-- 1 bens nobody 5 2008-02-26 12:21 Disney\ trip\ -a\ mother\\'s\
journey.doc
-rwxr--r-- 1 bens nobody 103 2008-02-26 13:35 script1.sh
-rwxr--r-- 1 bens nobody 26 2008-02-26 11:54 script2.sh
-rw-r--r-- 1 bens nobody 52 2008-02-26 15:18 script3.sh
-rw-r--r-- 1 bens nobody 55 2008-02-26 13:17 t
ls: cannot access Disney: No such file or directory
ls: cannot access trip: No such file or directory
total 64
drwxr-xr-x 2 bens nobody 4096 2008-02-26 13:17 .
drwxr-xr-x 14 bens bens 4096 2008-02-26 11:54 ..
-rw-r--r-- 1 bens nobody 5 2008-02-26 12:14 -b
-rw-r--r-- 1 bens nobody 5 2008-02-26 12:21 Disney trip -a mother\'s
journey.doc
-rwxr--r-- 1 bens nobody 103 2008-02-26 13:35 script1.sh
-rwxr--r-- 1 bens nobody 26 2008-02-26 11:54 script2.sh
-rw-r--r-- 1 bens nobody 52 2008-02-26 15:18 script3.sh
-rw-r--r-- 1 bens nobody 55 2008-02-26 13:17 t
ls: cannot access mother\'s: No such file or directory
ls: cannot access journey.doc: No such file or directory
-rwxr--r-- 1 bens nobody 103 2008-02-26 13:35 script1.sh
-rwxr--r-- 1 bens nobody 26 2008-02-26 11:54 script2.sh
-rw-r--r-- 1 bens nobody 52 2008-02-26 15:18 script3.sh
-rw-r--r-- 1 bens nobody 55 2008-02-26 13:17 t
$
It's obviously getting slipped on on the "-b". Tried again:
$ cat script3.sh
#! /bin/bash
for file in $*
do
ls -l -- "$file";
done
$ /bin/bash ./script3.sh *
-rw-r--r-- 1 bens nobody 5 2008-02-26 12:14 -b
ls: cannot access Disney: No such file or directory
ls: cannot access trip: No such file or directory
ls: cannot access -a: No such file or directory
ls: cannot access mother\'s: No such file or directory
ls: cannot access journey.doc: No such file or directory
-rwxr--r-- 1 bens nobody 103 2008-02-26 13:35 script1.sh
-rwxr--r-- 1 bens nobody 26 2008-02-26 11:54 script2.sh
-rw-r--r-- 1 bens nobody 57 2008-02-26 15:21 script3.sh
-rw-r--r-- 1 bens nobody 55 2008-02-26 13:17 t
Still has bad errors, properly quoted, otherwise legal file names. Redefine
IFS?
> Does anyone have a quick reference to the order of operations as the
> shell parses a command line (variable parsing,i/o redirection, wildcard
> and variable expansion, splitting on IFS, quote removal, command
> substitution etc.)? That's really the first thing you need to know
> about the shell and if there is a simple description it must be buried
> in the middle of some obscure manual.
>
> --
> Les Mikesell
> lesmikesell at gmail.com
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
--
--
Only those who reach toward a goal are likely to achieve it.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the CentOS
mailing list