[CentOS] bash - safely pass untrusted strings?

Tue Feb 26 19:35:19 UTC 2008
Garrick Staples <garrick at usc.edu>

On Tue, Feb 26, 2008 at 11:22:55AM -0800, Benjamin Smith alleged:
> On Tuesday 26 February 2008, Les Mikesell wrote:
> > > 
> > > WHY THE @!#! NOT?!?!?
> > 
> > The shell is 'supposed' to be run by a user that is allowed to run any 
> > command he wants, and permission/trust issues are handled by the 
> > login/authentication process that happens before you get to the shell. 
> > If you give the shell a bad command under your own account, it's not 
> > supposed to second guess what you wanted.
> 
> I'm not asking for this. I'm only asking for the option to be able to trust 
> that a parameter is... a parameter. EG: 
> 
> file: script1.sh 
> #! /bin/bash
> script2.sh $1 
> exit 0; 
> 
> file: script2.sh 
> #! /bin/bash 
> echo $1; 
> 
> $ script1.sh "this\ parameter"; 
> 
> I get output of "this"! script2 gets two parameters! I want a way for 1 

You need to quote the variable:
    #!/bin/bash
    echo "$1"


> parameter to STAY 1 parameter upon request, so that script2.sh would 
> output "this parameter", like 
> 
> file:script1.sh 
> #! /bin/bash
> PassToShell2=escapethis $1; 
> script2.sh $PassToShell; 
> exit 0; 

You are missing two sets of quotes:
   #!/bin/bash
   PassToShell2="escapethis $1"
   script2.sh "$PassToShell"

 
[...snip blah blah rant...]

> http://tldp.org/HOWTO/Bash-Prog-Intro-HOWTO-12.html#ss12.1
> 
> Here's what I get: 
> 
> mv: invalid option -- a
> Try `mv --help' for more information.

That's a bug in the script.

It should be:
   mv -- "$file" "$file$suffix"

 
> Or with a file with a space: 
> echo "blah" > "d"; 
> echo "blah" > "d foo"; 
> 
> The TLDP's example doesn't move file "d foo". I get: 
> mv: cannot stat `d': No such file or directory
> mv: cannot stat `foo': No such file or directory
> 
> So I ask again: This doesn't strike you as fundamentally borkeD? The emperor 
> wears no clothes! 

Just another case of missing double quotes.

It's the programmer that is borked, but the fundamentals :)

 
[...snip more rants...]

-- 
Garrick Staples, GNU/Linux HPCC SysAdmin
University of Southern California

Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20080226/a46fa90c/attachment-0005.sig>