On Thu, Jun 12, 2008 at 08:20:52PM -0400, John Leser wrote:
> >3. "Although one might think that "eval" could be used in the shell to
> > access the set of values one line at a time, this has major pitfalls:"
> >
> > There are lots of ways to parse in shell. If you are wary of eval,
> > pick another. The "evil of eval" is not relevant to this case.
> >
>
> I agree that an eval based system could work, but it requires extra care
> (as Nicolas has pointed out) in both the production and consumption of
> the parseable output, without any advantages I'm aware of. The "evil of
> eval" is relevant to explain our choice to not produce output designed
> for consumption by a script using "eval", which is the way dladm
> currently works.
So, the only quoting that needs to be done is: put all attacker-
controlled values (e.g., ESSIDs) in single quotes and quote any single
quotes[*] in said values.
[*] To quote single quotes in single-quoted strings you need to replace
to-be-quoted single quotes with: '"\"\'\"'
This works with ksh, ksh93, /bin/sh, /sbin/sh and bash. '"'"' works
with ksh, ksh93, /bin/sh, and /sbin/sh, but not with bash.
Nico
--
