[CentOS] bash - safely pass untrusted strings?

Tue Feb 26 23:30:02 UTC 2008
Benjamin Smith <lists at benjamindsmith.com>

On Tuesday 26 February 2008, Les Mikesell wrote:
> Benjamin Smith wrote:
> > > Unless I'm terribly mistaken (again?), the only way I've been able to 
> > see "loop thru a list of files" work reliably is with "find" using 
> > the "-print0" option, in cahoots with xargs. 
> > 
> > Is there any other way? 
> 
> for $file in wildcard*
>    do
>      ls -l "$file"
>    done
> 
> But this is the point where you should be asking what to do about quotes 
> embedded in the filenames which won't hurt here because of the order of 
> operations but would if you tried to collect the strings and use them in 
> some other ways.

Exactly. Here's my example: 

$ ls -laFd *
-rw-r--r-- 1 bens nobody   5 2008-02-26 12:21 Disney\ trip\ -a\ mother\\'s\ 
journey.doc
-rwxr--r-- 1 bens nobody 103 2008-02-26 13:35 script1.sh*
-rwxr--r-- 1 bens nobody  26 2008-02-26 11:54 script2.sh*
-rw-r--r-- 1 bens nobody  52 2008-02-26 15:15 script3.sh
-rw-r--r-- 1 bens nobody  55 2008-02-26 13:17 t

Note that, even here, there's a file called "-b" that's been inadvertently 
hidden! 

$ ls -laFd -- * 
-b  Disney trip -a mother\'s journey.doc  script1.sh  script2.sh  script3.sh  
t
$ cat -- -b 
blah
$

File script3.sh contains the following: 
$ cat script3.sh
#! /bin/sh
for file in $*
        do
        ls -l "$file";
        done
[bens at turing tt]$

And when I run script3.sh, I get: 
$ /bin/bash ./script3.sh *
total 48
-rw-r--r-- 1 bens nobody   5 2008-02-26 12:14 -b
-rw-r--r-- 1 bens nobody   5 2008-02-26 12:21 Disney\ trip\ -a\ mother\\'s\ 
journey.doc
-rwxr--r-- 1 bens nobody 103 2008-02-26 13:35 script1.sh
-rwxr--r-- 1 bens nobody  26 2008-02-26 11:54 script2.sh
-rw-r--r-- 1 bens nobody  52 2008-02-26 15:18 script3.sh
-rw-r--r-- 1 bens nobody  55 2008-02-26 13:17 t
ls: cannot access Disney: No such file or directory
ls: cannot access trip: No such file or directory
total 64
drwxr-xr-x  2 bens nobody 4096 2008-02-26 13:17 .
drwxr-xr-x 14 bens bens   4096 2008-02-26 11:54 ..
-rw-r--r--  1 bens nobody    5 2008-02-26 12:14 -b
-rw-r--r--  1 bens nobody    5 2008-02-26 12:21 Disney trip -a mother\'s 
journey.doc
-rwxr--r--  1 bens nobody  103 2008-02-26 13:35 script1.sh
-rwxr--r--  1 bens nobody   26 2008-02-26 11:54 script2.sh
-rw-r--r--  1 bens nobody   52 2008-02-26 15:18 script3.sh
-rw-r--r--  1 bens nobody   55 2008-02-26 13:17 t
ls: cannot access mother\'s: No such file or directory
ls: cannot access journey.doc: No such file or directory
-rwxr--r-- 1 bens nobody 103 2008-02-26 13:35 script1.sh
-rwxr--r-- 1 bens nobody 26 2008-02-26 11:54 script2.sh
-rw-r--r-- 1 bens nobody 52 2008-02-26 15:18 script3.sh
-rw-r--r-- 1 bens nobody 55 2008-02-26 13:17 t
$

It's obviously getting slipped on on the "-b". Tried again: 
$ cat script3.sh
#! /bin/bash
for file in $*
        do
        ls -l -- "$file";
        done
$ /bin/bash ./script3.sh *
-rw-r--r-- 1 bens nobody 5 2008-02-26 12:14 -b
ls: cannot access Disney: No such file or directory
ls: cannot access trip: No such file or directory
ls: cannot access -a: No such file or directory
ls: cannot access mother\'s: No such file or directory
ls: cannot access journey.doc: No such file or directory
-rwxr--r-- 1 bens nobody 103 2008-02-26 13:35 script1.sh
-rwxr--r-- 1 bens nobody 26 2008-02-26 11:54 script2.sh
-rw-r--r-- 1 bens nobody 57 2008-02-26 15:21 script3.sh
-rw-r--r-- 1 bens nobody 55 2008-02-26 13:17 t

Still has bad errors, properly quoted, otherwise legal file names. Redefine 
IFS? 

> Does anyone have a quick reference to the order of operations as the 
> shell parses a command line (variable parsing,i/o redirection, wildcard 
> and variable expansion, splitting on IFS, quote removal, command 
> substitution etc.)?  That's really the first thing you need to know 
> about the shell and if there is a simple description it must be buried 
> in the middle of some obscure manual.
> 
> -- 
>   Les Mikesell
>     lesmikesell at gmail.com
> 
> 
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
-- 
--
Only those who reach toward a goal are likely to achieve it. 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.