[CentOS] bash - safely pass untrusted strings?

Tue Feb 26 21:51:28 UTC 2008

On Tuesday 26 February 2008, Bart Schaefer wrote:
> For someone who apparently has no idea what he's talking about, you
> sure say a lot.

Sorry. It's how I think aloud. Sorry if I offended. 

> No, you missed it.  You need the quotes *everywhere* that a variable
> is referenced.

Yes, I missed this point. I now see the error in my ways.

> >  In script2.sh, $1 only contains the string "this". There is no safe way 
to
> >  pass $1 (containing string "this parameter") from script1 to script2 as a
> >  single, trustable parameter.
> 
> file: script1.sh
> #! /bin/bash
> script2.sh "$1"  # Doesn't help to quote in script2 if not quoted in script1
> exit 0;
> 
> file: script2.sh
> #! /bin/bash
> echo "$1";

This is the point that I missed. (hat in hand) 

> >  Here are the offending lines:
> >
> >  for file in $*
> >                  do
> >                  mv ${file} $prefix$file
> >                done
> 
> for file in "$@"
> do
>    mv -- "${file}" "$prefix$file"
> done
> 
> > No amount of quoting will
> > make TLDP's "move a bunch of files" script actually work reliably.
> 
> That was a bad URL to have pointed you to, because that's a horrible
> example of shell programming.  I hope "felix hudson" has gotten a bit
> smarter since then.  However, just because felix wrote a bad script
> does not make "bash is incapable ..." true, any more than you chanting
> it repeatedly does.

It's a bad URL that's also very commonly referenced. 

Unless I'm terribly mistaken (again?), the only way I've been able to 
see "loop thru a list of files" work reliably is with "find" using 
the "-print0" option, in cahoots with xargs. 

Is there any other way? 

-Ben 
--
Only those who reach toward a goal are likely to achieve it. 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.