Re: bash - safely pass untrusted strings?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



For someone who apparently has no idea what he's talking about, you
sure say a lot.

On Tue, Feb 26, 2008 at 12:40 PM, Benjamin Smith
<lists@xxxxxxxxxxxxxxxxxx> wrote:
>  You missed the point.

No, you missed it.  You need the quotes *everywhere* that a variable
is referenced.

>  In script2.sh, $1 only contains the string "this". There is no safe way to
>  pass $1 (containing string "this parameter") from script1 to script2 as a
>  single, trustable parameter.

file: script1.sh
#! /bin/bash
script2.sh "$1"  # Doesn't help to quote in script2 if not quoted in script1
exit 0;

file: script2.sh
#! /bin/bash
echo "$1";

>  Here are the offending lines:
>
>  for file in $*
>                  do
>                  mv ${file} $prefix$file
>                done

for file in "$@"
do
   mv -- "${file}" "$prefix$file"
done

> No amount of quoting will
> make TLDP's "move a bunch of files" script actually work reliably.

That was a bad URL to have pointed you to, because that's a horrible
example of shell programming.  I hope "felix hudson" has gotten a bit
smarter since then.  However, just because felix wrote a bad script
does not make "bash is incapable ..." true, any more than you chanting
it repeatedly does.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux