Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master >--------------------------------------------------------------- commit e23c38377538e4c9f0311347b6fc15b8c1dddd37 Author: Florian Weimer <fweimer@xxxxxxxxxx> Date: Fri Oct 10 16:44:53 2014 +0200 Shell: Update section on input validation Also mention safety of [[ $var =~ regexp ]]. >--------------------------------------------------------------- defensive-coding/en-US/Shell.xml | 36 +++++++++++++++++++++--------------- 1 files changed, 21 insertions(+), 15 deletions(-) diff --git a/defensive-coding/en-US/Shell.xml b/defensive-coding/en-US/Shell.xml index 24554b1..042ac61 100644 --- a/defensive-coding/en-US/Shell.xml +++ b/defensive-coding/en-US/Shell.xml @@ -162,6 +162,14 @@ external-program "$arg1" "$arg2" evaluation, even with integer operators such as <literal>-eq</literal>.) </para> + <para> + The conditional expression + â??<literal>[[ $</literal><emphasis>variable</emphasis><literal> =~ </literal><emphasis>regexp</emphasis><literal> ]]</literal>â?? + can be used for input validation, assuming that + <emphasis>regexp</emphasis> is a constant regular + expression. + See <xref linkend="sect-Defensive_Coding-Shell-Input_Validation"/>. + </para> </listitem> <listitem> <para> @@ -391,29 +399,27 @@ trap cleanup 0 </para> <para> The following construct can be used to check if a string - â??<literal>$value</literal>â?? is not a non-negative integer. + â??<literal>$value</literal>â?? is an integer. </para> <informalexample> <programlisting language="Bash"> -case "$value" in - *[!0-9]*) - echo "invalid input value" 1>&2 - exit 1 - ;; -esac +if [[ $value =~ ^-?[0-9]$ ]] ; then + echo value is an integer +else + echo "value is not an integer" 1>&2 + exit 1 +fi </programlisting> </informalexample> <para> - The pattern â??<literal>*[!0-9]*</literal>â?? is not special shell - syntaxâ??it matches any string which contains arbitrary characters, - followed by a non-digit, followed by arbitrary characters. + Using <literal>case</literal> statements for input validation is + also possible, but the pattern language is more restrictive, and + it can be difficult to write suitable patterns. </para> <para> - Using <literal>case</literal> statements is the most reliable way - for performing input validation, although constructing proper - patterns is difficult. The <literal>expr</literal> external - command and the built-in operator <literal>=~</literal> can give - misleading results. + The <literal>expr</literal> external command can give misleading + results (e.g., if the value being checked contains operators + itself) and should not be used. </para> </section> <section id="sect-Defensive_Coding-Shell-Edit_Guard">
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
