[CentOS] bash - safely pass untrusted strings?
Bart Schaefer
barton.schaefer at gmail.com
Tue Feb 26 21:34:53 UTC 2008
For someone who apparently has no idea what he's talking about, you
sure say a lot.
On Tue, Feb 26, 2008 at 12:40 PM, Benjamin Smith
<lists at benjamindsmith.com> wrote:
> You missed the point.
No, you missed it. You need the quotes *everywhere* that a variable
is referenced.
> In script2.sh, $1 only contains the string "this". There is no safe way to
> pass $1 (containing string "this parameter") from script1 to script2 as a
> single, trustable parameter.
file: script1.sh
#! /bin/bash
script2.sh "$1" # Doesn't help to quote in script2 if not quoted in script1
exit 0;
file: script2.sh
#! /bin/bash
echo "$1";
> Here are the offending lines:
>
> for file in $*
> do
> mv ${file} $prefix$file
> done
for file in "$@"
do
mv -- "${file}" "$prefix$file"
done
> No amount of quoting will
> make TLDP's "move a bunch of files" script actually work reliably.
That was a bad URL to have pointed you to, because that's a horrible
example of shell programming. I hope "felix hudson" has gotten a bit
smarter since then. However, just because felix wrote a bad script
does not make "bash is incapable ..." true, any more than you chanting
it repeatedly does.
More information about the CentOS
mailing list