Re: shell variable security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/3/07, tony.chamberlain@xxxxxxxxx <tony.chamberlain@xxxxxxxxx> wrote:
>
>
>
>  I have to write some BASH scripts.
>
> We have all heard about security problems with shell variables
>
> (i.e. when entering a name someone enters something like "Tony; rm -rf
> /root/*" )
>
> so that if the BASH scripts echoes it will will do something like echo Tony;
> rm -rf /root/*.
>
>
>
> Now we have honest users here, but I still want to do some checks.  If I
> read in or get a shell variable from a user
>
> I could do something like
>
>
>
>     echo "$VAR" | grep '[^a-zA-Z/_-]'
>
>     if [ $? -eq 0 ]
>
>     then
>
>         echo "You have entered a bad character"
>
>         exit 1
>
>    fi
>
>
>
> but that still runs into the problem like above with the echo.  I also could
> do
>
>
>
> case "$VAR" in
>
>
>
>     \;|\:) echo "you have a bad character"
>
>         ;;
>
>
>
> esac
>
>
>
>
>
> but I am not sure that is best either.  Is there anyway to validate shell
> variables?
>
> I know Javascript, etc., has something like url_encode()
> --

If all you are looking is to grab everything up to the first ; or :
(anything after is deemed invalid) you could use string manipulation.
Test it out as follows:

read name; echo ${name%%+(;|:)*}

It will echo everyting to the first ; or : (omitting the invalid
character and everything after.

This will only work if you have extglob enabled as shopt.

If this does what you want, you can assign the value of your variable
using that string manipulation, hence cutting out the ; or : and
everything after.  No testing conditions.  If there are other
characters you wish to exclude simply add them in the patter by
separating each with the pipe |.

Type shopt to see your shell options.  See if extglob is on.  If not,
you can turn it on with
shopt -s extglob

You can later unset that option with shopt -u extglob.

Of course you'll likely want your script to save the setting for
extglob at the start, set it on for the script, then reset it back to
what it was after.

Jacques B.

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux