[CentOS] bash - safely pass untrusted strings?

[Les Mikesell]

Garrick Staples wrote:

>> How many "homebrew" ISP or hosting administration scripts could be compromised 
>> by simply putting a file in your home directory called ";rm -rf /" ? 
> 
> It's not as bad as you think because of the order of operations.
> 
> In all cases, these perform exactly as a string should regardless of inner
> characters.

He's probably thinking of a scripted operation that does a
find . -print |xargs some_command
(without print0) or a backtick or $(..) generated expansion.  A lot of 
the usefulness of the shell happens because you can generate and reparse 
text programatically and have it become commands - and a side effect is 
that metacharacters that appear in the text get processed even if they 
aren't what you expected.  I think it is kind of silly that common shell 
  metacharacters are permitted in filenames, but there's not much you 
can do about it now.

-- 
   Les Mikesell
    lesmikesell at gmail.com