Dennis Williamson wrote:
I'm trying to put a command in a variable, but the complex cases always
fail! : http://mywiki.wooledge.org/BashFAQ/050
Eval command and security issues : http://mywiki.wooledge.org/BashFAQ/048
----
Dunno, but I see nothing on that page about using
printf -v "%q" or using single quotes inside of doubles... in his
first example:
# This code is evil and should never be used!
fifth() {
_fifth_array=$1
eval echo "\"The fifth element is \${$_fifth_array[4]}\"" # DANGER!
}
a=(zero one two three four five)
fifth a
---------------
Had been written:
fifth() {
printf -v _fifth_array "%q" "$1"
eval echo "'The fifth element is ${ echo "${_fifth_array[4]}" }'"
}
---
Then his arbitrary arg function throws an error:
fifth 'x}'; date;
-bash: 'The fifth element is ${ echo "${_fifth_array[4]}" }': bad substitution
----
However, if someone takes user input... it needs to be way sterilized --
i.e. if expecting a single char -- only accept a single char.
if expecting a number... ${i//[^0-9]/} :
i=948392480
Ishtar:law> echo ${i//[^0-9]/}
948392480
i=9'\010'3{92}480
echo ${i//[^0-9]/}
9010392480
---
But I think a difference between greg's thinking and mine is that
I tend to write scripts to help me do things on my system.
If someone else wants to use my scripts -- and then use them to try to
break into their own system....um... *oh well*... ;-)
