I am trying to parse untrusted strings and represent in a form that
would be safe to execute.
So assuming as-echo.sh defined as below for example:
cmd="echo"
for a in "$@"
do
cmd="$cmd '${a/\'/''}'"
done
echo "$cmd"
eval "$cmd"
Then:
as-echo.sh 'a' '$(foobar)' 'c'
would produce:
echo 'a' '$b' 'c'
a $b c
Is my code safe, or can someone maliciously choose arguments to
as-echo.sh that could cause it (as-echo.sh) to do something other than
write to stdout?
Can anyone point me to best practice for this kind of protection in bash?
jon.
