On Vi, 06 dec 19, 14:50:51, Greg Wooledge wrote: > On Fri, Dec 06, 2019 at 02:40:49PM -0500, songbird wrote: > > Greg Wooledge wrote: > > ... > > > Ideally, you'd just stop trying to use sed with user-supplied variables > > > injected into the code. Sed was never built to be safe for that kind of > > > work. > > > > sed was designed to operate on streams. a sequence of > > characters is a stream. i don't see any reason why > > putting the variable into the middle of that expression > > means anything different. > > It was designed to accept a program in argv[] and execute that program > on its input, which is a stream. > > You are injecting your end-user variables inside sed's program. This > is called code injection. End-user data is being parsed as code by > a code interpreter (in this case, sed). > > The workarounds for this are: > > 1) Carefully quote/dequote/escape/mangle the end-user data so that > after it has been injected into the code, it will achieve the desired > goal. > > 2) Use some other tool or method of supplying the end-user data so that > it is never parsed as code by any interpreter.
As usual, your posts are very valuable. I will openly admit I have learned a lot from them (as well as from your wiki). > If you insist on doing #1, so be it. It's your damned computer, and your > damned problem. I can only warn you and be ignored so many times > before I give up and let your fuck yourself, as you so vehemently and > stubbornly eager to do. This last paragraph could have been left out though. Using such language will only diminish the value of / distract from the valuable explanations above. You can't save them all :) Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser
signature.asc
Description: PGP signature