[CentOS] bash - safely pass untrusted strings?
Les Mikesell
lesmikesell at gmail.com
Wed Feb 27 17:46:13 UTC 2008
Stephen Harris wrote:
>> Yes, but I'm looking for what happens before and after. Why does
>> unset foo
>> foo=bar >$foo
>> do something you might expect, but
>> unset foo
>> foo=bar echo $foo >$foo
>> doesn't?
>
> What would you expect the last to do? "foo=bar echo $foo" only sets "foo"
> inside the scope of the "echo" statement, so in the scope of ">$foo" the
> variable is unset. In the first case there's no command so the shell is
> evaluating left-to-right and it works.
How does the shell know that there's no command without evaluating, and
if it evaluates left to right, why isn't the result the same? Actually
I found the answer to that, which is that
name=val command
is processed like
(name=val; command)
which also explains why the value isn't left lingering for the next
operation.
> I actually wouldn't code written
> that, myself! Too close to obfuscation; much easier written as two lines;
> foo=bar
> > $foo
> for ease of understanding.
I find it much easier to understand code written to keep setting/using
values in the smallest scope possible.
>> And how does this relate to ||, && and things on the right hand side of
>> |'s in terms of evaluation order and side effects?
>
> Mostly you can think of those things as causing subprocesses, so each part
> can be wrapped in ( )
Which would be more meaningful in a document that explains when and how
the () tokens are handled...
>> I'm sure I saw a simple list of the order of operations for the bourne
>> shell years ago with about 6 steps and which are repeated if you add an
>
> I've never seen one. I'm not even sure I could write one :-)
>
Section 7.8 of this might be close to what I remember seeing.
http://books.google.com/books?id=_mbgnxL-QvoC&pg=PA140&lpg=PA140&dq=shell+evaluation+order+of+operations&source=web&ots=SI7CFQOJ6b&sig=WRWpWZskGXOI8VJhIt1eHeeqfVs#PPA162,M1
>> must still do the steps in the same order to be compatible. You really
>> need to know this to do anything even slightly complicated and I'm
>
> Not really. Mostly if you find yourself hitting that sort of problem
> then you're writing overly complicated code and are probably better off
> refactoring it into something more readable.
But I find compact code most readable.
> I've been coding in ksh for 18 years now and haven't had to worry too
> much about precedence that simple test cases can't answer for me.
I don't trust test cases on one implementation to be portable unless
they match the documented behavior.
> And
> that included 1100 line scripts than run a messaging system :-)
Maybe it would only have taken a couple hundred lines if you took
advantage of order of operations on each line... But my rule of thumb
is that if I expect something to fill more than a page, I'd start in
some other language.
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list