[CentOS] bash - safely pass untrusted strings?
Benjamin Smith
lists at benjamindsmith.com
Tue Feb 26 21:51:28 UTC 2008
On Tuesday 26 February 2008, Bart Schaefer wrote:
> For someone who apparently has no idea what he's talking about, you
> sure say a lot.
Sorry. It's how I think aloud. Sorry if I offended.
> No, you missed it. You need the quotes *everywhere* that a variable
> is referenced.
Yes, I missed this point. I now see the error in my ways.
> > In script2.sh, $1 only contains the string "this". There is no safe way
to
> > pass $1 (containing string "this parameter") from script1 to script2 as a
> > single, trustable parameter.
>
> file: script1.sh
> #! /bin/bash
> script2.sh "$1" # Doesn't help to quote in script2 if not quoted in script1
> exit 0;
>
> file: script2.sh
> #! /bin/bash
> echo "$1";
This is the point that I missed. (hat in hand)
> > Here are the offending lines:
> >
> > for file in $*
> > do
> > mv ${file} $prefix$file
> > done
>
> for file in "$@"
> do
> mv -- "${file}" "$prefix$file"
> done
>
> > No amount of quoting will
> > make TLDP's "move a bunch of files" script actually work reliably.
>
> That was a bad URL to have pointed you to, because that's a horrible
> example of shell programming. I hope "felix hudson" has gotten a bit
> smarter since then. However, just because felix wrote a bad script
> does not make "bash is incapable ..." true, any more than you chanting
> it repeatedly does.
It's a bad URL that's also very commonly referenced.
Unless I'm terribly mistaken (again?), the only way I've been able to
see "loop thru a list of files" work reliably is with "find" using
the "-print0" option, in cahoots with xargs.
Is there any other way?
-Ben
--
Only those who reach toward a goal are likely to achieve it.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the CentOS
mailing list