On Mon, May 11, 2009 at 10:35:18AM +1000, Jon Seymour wrote:
> I am trying to parse untrusted strings and represent in a form that
> would be safe to execute.
printf "%q"
> cmd="echo"
> for a in "$@"
> do
> cmd="$cmd '${a/\'/''}'"
> done
> echo "$cmd"
> eval "$cmd"
http://mywiki.wooledge.org/BashFAQ/050 - I'm trying to put a command in
a variable, but the complex cases always fail!
Your escaping is wrong in any event. You don't escape an apostrophe
by putting another apostrophe in front of it. I.e., this is NOT valid
bash syntax:
echo 'can''t'
This is:
echo 'can'\''t'
Also, your parameter expansion is only handling the FIRST apostrophe
in each argument. That's surely not enough.
As I said earlier: printf "%q"
> Is my code safe, or can someone maliciously choose arguments to
> as-echo.sh that could cause it (as-echo.sh) to do something other than
> write to stdout?
imadev:~$ ./as-echo.sh ls "can't';date'"
'ls' 'can''t';date''
cant not found
Mon May 11 08:19:33 EDT 2009
